diff options
Diffstat (limited to 'src/core/or/dos.h')
-rw-r--r-- | src/core/or/dos.h | 41 |
1 files changed, 36 insertions, 5 deletions
diff --git a/src/core/or/dos.h b/src/core/or/dos.h index b3eca058b8..6dcfa3cb94 100644 --- a/src/core/or/dos.h +++ b/src/core/or/dos.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2018-2020, The Tor Project, Inc. */ +/* Copyright (c) 2018-2021, The Tor Project, Inc. */ /* See LICENSE for licensing information */ /* @@ -9,7 +9,11 @@ #ifndef TOR_DOS_H #define TOR_DOS_H -/* Structure that keeps stats of client connection per-IP. */ +#include "core/or/or.h" + +#include "lib/evloop/token_bucket.h" + +/* Structure that keeps stats of circuit creation per client connection IP. */ typedef struct cc_client_stats_t { /* Number of allocated circuits remaining for this address. It is * decremented every time a new circuit is seen for this client address and @@ -28,13 +32,28 @@ typedef struct cc_client_stats_t { time_t marked_until_ts; } cc_client_stats_t; +/* Structure that keeps stats of client connection per-IP. */ +typedef struct conn_client_stats_t { + /* Concurrent connection count from the specific address. 2^32 - 1 is most + * likely way too big for the amount of allowed file descriptors. */ + uint32_t concurrent_count; + + /* Connect count from the specific address. We use a token bucket here to + * track the rate and burst of connections from the same IP address.*/ + token_bucket_ctr_t connect_count; + + /* The client address attempted too many connections, per the connect_count + * rules, and thus is marked so defense(s) can be applied. It is + * synchronized using the approx_time(). */ + time_t marked_until_ts; +} conn_client_stats_t; + /* This object is a top level object that contains everything related to the * per-IP client DoS mitigation. Because it is per-IP, it is used in the geoip * clientmap_entry_t object. */ typedef struct dos_client_stats_t { - /* Concurrent connection count from the specific address. 2^32 is most - * likely way too big for the amount of allowed file descriptors. */ - uint32_t concurrent_count; + /* Client connection statistics. */ + conn_client_stats_t conn_stats; /* Circuit creation statistics. This is only used if the circuit creation * subsystem has been enabled (dos_cc_enabled). */ @@ -51,6 +70,7 @@ void dos_free_all(void); void dos_consensus_has_changed(const networkstatus_t *ns); int dos_enabled(void); void dos_log_heartbeat(void); +void dos_geoip_entry_init(struct clientmap_entry_t *geoip_ent); void dos_geoip_entry_about_to_free(const struct clientmap_entry_t *geoip_ent); void dos_new_client_conn(or_connection_t *or_conn, @@ -102,6 +122,16 @@ dos_cc_defense_type_t dos_cc_get_defense_type(channel_t *chan); #define DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 100 /* DoSConnectionDefenseType maps to the dos_conn_defense_type_t enum. */ #define DOS_CONN_DEFENSE_TYPE_DEFAULT DOS_CONN_DEFENSE_CLOSE +/* DoSConnectionConnectRate default. Per second. */ +#define DOS_CONN_CONNECT_RATE_DEFAULT 20 +/* DoSConnectionConnectBurst default. Per second. */ +#define DOS_CONN_CONNECT_BURST_DEFAULT 40 +/* DoSConnectionConnectDefenseTimePeriod default. Set to 24 hours. */ +#define DOS_CONN_CONNECT_DEFENSE_TIME_PERIOD_DEFAULT (24 * 60 * 60) +/* DoSCircuitCreationDefenseTimePeriod minimum value. Because we add a random + * offset to the marked timestamp, we need the minimum value to be non zero. + * We consider that 10 seconds is an acceptable lower bound. */ +#define DOS_CONN_CONNECT_DEFENSE_TIME_PERIOD_MIN (10) /* Type of defense that we can use for the concurrent connection DoS * mitigation. */ @@ -125,6 +155,7 @@ STATIC uint32_t get_param_conn_max_concurrent_count( STATIC uint32_t get_param_cc_circuit_burst(const networkstatus_t *ns); STATIC uint32_t get_param_cc_min_concurrent_connection( const networkstatus_t *ns); +STATIC uint32_t get_param_conn_connect_burst(const networkstatus_t *ns); STATIC uint64_t get_circuit_rate_per_second(void); STATIC void cc_stats_refill_bucket(cc_client_stats_t *stats, |