diff options
| author | David Goulet <dgoulet@torproject.org> | 2018-01-25 16:14:40 -0500 |
|---|---|---|
| committer | David Goulet <dgoulet@torproject.org> | 2018-01-30 09:18:15 -0500 |
| commit | 97abb3543b858afd27ed857903814175c1dfbf12 (patch) | |
| tree | 42c655269bb1fd4c6e9d881163d9af731e5f032f /src/or/dos.h | |
| parent | c05272783d0164363023ddd4b3ee93c2e12c8911 (diff) | |
| download | tor-97abb3543b858afd27ed857903814175c1dfbf12.tar.gz tor-97abb3543b858afd27ed857903814175c1dfbf12.zip | |
dos: Detect circuit creation denial of service
Add a function that notifies the DoS subsystem that a new CREATE cell has
arrived. The statistics are updated accordingly and the IP address can also be
marked as malicious if it is above threshold.
At this commit, no defense is applied, just detection with a circuit creation
token bucket system.
Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat (limited to 'src/or/dos.h')
| -rw-r--r-- | src/or/dos.h | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/or/dos.h b/src/or/dos.h index 3cc10d3f99..bb8d7d1a79 100644 --- a/src/or/dos.h +++ b/src/or/dos.h @@ -80,6 +80,8 @@ typedef enum dos_cc_defense_type_t { DOS_CC_DEFENSE_MAX = 2, } dos_cc_defense_type_t; +void dos_cc_new_create_cell(channel_t *channel); + /* * Concurrent connection DoS mitigation interface. */ @@ -112,6 +114,10 @@ STATIC uint32_t get_param_cc_circuit_burst(const networkstatus_t *ns); STATIC uint32_t get_param_cc_min_concurrent_connection( const networkstatus_t *ns); +STATIC uint32_t get_circuit_rate_per_second(void); +STATIC void cc_stats_refill_bucket(cc_client_stats_t *stats, + const tor_addr_t *addr); + MOCK_DECL(STATIC unsigned int, get_param_cc_enabled, (const networkstatus_t *ns)); MOCK_DECL(STATIC unsigned int, get_param_conn_enabled, |