diff options
| author | David Goulet <dgoulet@torproject.org> | 2018-01-30 09:33:12 -0500 |
|---|---|---|
| committer | David Goulet <dgoulet@torproject.org> | 2018-01-30 09:33:12 -0500 |
| commit | cd81403cc0d73d53cb7f3650b38d49c54100af25 (patch) | |
| tree | 5ea4f0c626ad082fb195a478614f67dff1a7b386 /src/or/or.h | |
| parent | 03ab24b44cd148263cfb2b801cba35489e3852c1 (diff) | |
| parent | 9aca7d47306222f2870ec16a7291a8215d6c3316 (diff) | |
| download | tor-cd81403cc0d73d53cb7f3650b38d49c54100af25.tar.gz tor-cd81403cc0d73d53cb7f3650b38d49c54100af25.zip | |
Merge branch 'ticket24902_029_05' into ticket24902_033_02
Diffstat (limited to 'src/or/or.h')
| -rw-r--r-- | src/or/or.h | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/src/or/or.h b/src/or/or.h index c81e29c95c..0436533a96 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1636,6 +1636,10 @@ typedef struct or_connection_t { /** True iff this connection has had its bootstrap failure logged with * control_event_bootstrap_problem. */ unsigned int have_noted_bootstrap_problem:1; + /** True iff this is a client connection and its address has been put in the + * geoip cache and handled by the DoS mitigation subsystem. We use this to + * insure we have a coherent count of concurrent connection. */ + unsigned int tracked_for_dos_mitigation : 1; uint16_t link_proto; /**< What protocol version are we using? 0 for * "none negotiated yet." */ @@ -4701,6 +4705,35 @@ typedef struct { * running embedded inside another process. */ int DisableSignalHandlers; + + /** Autobool: Is the circuit creation DoS mitigation subsystem enabled? */ + int DoSCircuitCreationEnabled; + /** Minimum concurrent connection needed from one single address before any + * defense is used. */ + int DoSCircuitCreationMinConnections; + /** Circuit rate used to refill the token bucket. */ + int DoSCircuitCreationRate; + /** Maximum allowed burst of circuits. Reaching that value, the address is + * detected as malicious and a defense might be used. */ + int DoSCircuitCreationBurst; + /** When an address is marked as malicous, what defense should be used + * against it. See the dos_cc_defense_type_t enum. */ + int DoSCircuitCreationDefenseType; + /** For how much time (in seconds) the defense is applicable for a malicious + * address. A random time delta is added to the defense time of an address + * which will be between 1 second and half of this value. */ + int DoSCircuitCreationDefenseTimePeriod; + + /** Autobool: Is the DoS connection mitigation subsystem enabled? */ + int DoSConnectionEnabled; + /** Maximum concurrent connection allowed per address. */ + int DoSConnectionMaxConcurrentCount; + /** When an address is reaches the maximum count, what defense should be + * used against it. See the dos_conn_defense_type_t enum. */ + int DoSConnectionDefenseType; + + /** Autobool: Do we refuse single hop client rendezvous? */ + int DoSRefuseSingleHopClientRendezvous; } or_options_t; #define LOG_PROTOCOL_WARN (get_protocol_warning_severity_level()) |