diff options
| author | David Goulet <dgoulet@torproject.org> | 2018-01-25 15:54:58 -0500 |
|---|---|---|
| committer | David Goulet <dgoulet@torproject.org> | 2018-01-30 09:18:15 -0500 |
| commit | 64149353dda6336488e7d011534a7132b3f01acc (patch) | |
| tree | 13a89db732985554b68897d6e9225f678980cc67 /src/or/or.h | |
| parent | 93b826faaa7cca351c68256ce60a7f7e6c5fda5b (diff) | |
| download | tor-64149353dda6336488e7d011534a7132b3f01acc.tar.gz tor-64149353dda6336488e7d011534a7132b3f01acc.zip | |
dos: Initial code of Denial of Service mitigation
This commit introduces the src/or/dos.{c|h} files that contains the code for
the Denial of Service mitigation subsystem. It currently contains basic
functions to initialize and free the subsystem. They are used at this commit.
The torrc options and consensus parameters are defined at this commit and
getters are implemented.
Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat (limited to 'src/or/or.h')
| -rw-r--r-- | src/or/or.h | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/src/or/or.h b/src/or/or.h index 75a02a531e..2cf9e97356 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -4510,6 +4510,36 @@ typedef struct { /** If 1, we skip all OOS checks. */ int DisableOOSCheck; + + /** Autobool: Is the circuit creation DoS mitigation subsystem enabled? */ + int DoSCircuitCreationEnabled; + /** Minimum concurrent connection needed from one single address before any + * defense is used. */ + int DoSCircuitCreationMinConnections; + /** Circuit rate, in tenths of a second, that is used to refill the token + * bucket at this given rate. */ + int DoSCircuitCreationRateTenths; + /** Maximum allowed burst of circuits. Reaching that value, the address is + * detected as malicious and a defense might be used. */ + int DoSCircuitCreationBurst; + /** When an address is marked as malicous, what defense should be used + * against it. See the dos_cc_defense_type_t enum. */ + int DoSCircuitCreationDefenseType; + /** For how much time (in seconds) the defense is applicable for a malicious + * address. A random time delta is added to the defense time of an address + * which will be between 1 second and half of this value. */ + int DoSCircuitCreationDefenseTimePeriod; + + /** Autobool: Is the DoS connection mitigation subsystem enabled? */ + int DoSConnectionEnabled; + /** Maximum concurrent connection allowed per address. */ + int DoSConnectionMaxConcurrentCount; + /** When an address is reaches the maximum count, what defense should be + * used against it. See the dos_conn_defense_type_t enum. */ + int DoSConnectionDefenseType; + + /** Autobool: Do we refuse single hop client rendezvous? */ + int DoSRefuseSingleHopClientRendezvous; } or_options_t; /** Persistent state for an onion router, as saved to disk. */ |