From ff8823d03cef50cb3a78f13a35558288e54c2173 Mon Sep 17 00:00:00 2001
From: David Goulet <dgoulet@torproject.org>
Date: Thu, 31 Oct 2019 13:50:36 -0400
Subject: dos: Account rejection in hs_dos_can_send_intro2

This required a small refactoring so we could count properly the INTRO2
sending disallow.

Part of #31371

Signed-off-by: David Goulet <dgoulet@torproject.org>
---
 src/feature/hs/hs_dos.c | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

(limited to 'src/feature')

diff --git a/src/feature/hs/hs_dos.c b/src/feature/hs/hs_dos.c
index 19794e09d3..81041475e8 100644
--- a/src/feature/hs/hs_dos.c
+++ b/src/feature/hs/hs_dos.c
@@ -45,6 +45,9 @@
  * introduction DoS defense. Disabled by default. */
 #define HS_DOS_INTRODUCE_ENABLED_DEFAULT 0
 
+/* INTRODUCE2 rejected request counter. */
+static uint64_t intro2_rejected_count = 0;
+
 /* Consensus parameters. The ESTABLISH_INTRO DoS cell extension have higher
  * priority than these values. If no extension is sent, these are used only by
  * the introduction point. */
@@ -163,12 +166,12 @@ hs_dos_can_send_intro2(or_circuit_t *s_intro_circ)
    * This can be set by the consensus, the ESTABLISH_INTRO cell extension or
    * the hardcoded values in tor code. */
   if (!s_intro_circ->introduce2_dos_defense_enabled) {
-    return true;
+    goto allow;
   }
 
   /* Should not happen but if so, scream loudly. */
   if (BUG(TO_CIRCUIT(s_intro_circ)->purpose != CIRCUIT_PURPOSE_INTRO_POINT)) {
-    return false;
+    goto disallow;
   }
 
   /* This is called just after we got a valid and parsed INTRODUCE1 cell. The
@@ -189,7 +192,18 @@ hs_dos_can_send_intro2(or_circuit_t *s_intro_circ)
   }
 
   /* Finally, we can send a new INTRODUCE2 if there are still tokens. */
-  return token_bucket_ctr_get(&s_intro_circ->introduce2_bucket) > 0;
+  if (token_bucket_ctr_get(&s_intro_circ->introduce2_bucket) > 0) {
+    goto allow;
+  }
+
+  /* Fallthrough is to disallow since this means the bucket has reached 0. */
+ disallow:
+  /* Increment stats counter, we are rejecting the INTRO2 cell. */
+  intro2_rejected_count++;
+  return false;
+
+ allow:
+  return true;
 }
 
 /* Initialize the onion service Denial of Service subsystem. */
-- 
cgit v1.2.3-54-g00ecf


From e85f86bb7b676435b2eb11006f111f6e45b8d252 Mon Sep 17 00:00:00 2001
From: David Goulet <dgoulet@torproject.org>
Date: Thu, 31 Oct 2019 13:57:14 -0400
Subject: dos: Add HS DoS INTRO2 rejected stats in heartbeat

The DoS heartbeat now contains the number of rejected INTRODUCE2 cell that the
relay has seen.

Closes #31371

Signed-off-by: David Goulet <dgoulet@torproject.org>
---
 src/core/or/dos.c       | 13 +++++++++++--
 src/feature/hs/hs_dos.c |  7 +++++++
 src/feature/hs/hs_dos.h |  3 +++
 3 files changed, 21 insertions(+), 2 deletions(-)

(limited to 'src/feature')

diff --git a/src/core/or/dos.c b/src/core/or/dos.c
index 5f9bbf90ab..8cfea910b8 100644
--- a/src/core/or/dos.c
+++ b/src/core/or/dos.c
@@ -15,6 +15,7 @@
 #include "core/or/channel.h"
 #include "core/or/connection_or.h"
 #include "core/or/relay.h"
+#include "feature/hs/hs_dos.h"
 #include "feature/nodelist/networkstatus.h"
 #include "feature/nodelist/nodelist.h"
 #include "feature/relay/routermode.h"
@@ -629,6 +630,7 @@ dos_log_heartbeat(void)
   char *cc_msg = NULL;
   char *single_hop_client_msg = NULL;
   char *circ_stats_msg = NULL;
+  char *hs_dos_intro2_msg = NULL;
 
   /* Stats number coming from relay.c append_cell_to_circuit_queue(). */
   tor_asprintf(&circ_stats_msg,
@@ -654,17 +656,24 @@ dos_log_heartbeat(void)
                  num_single_hop_client_refused);
   }
 
+  /* HS DoS stats. */
+  tor_asprintf(&hs_dos_intro2_msg,
+               " %" PRIu64 " INTRODUCE2 rejected.",
+               hs_dos_get_intro2_rejected_count());
+
   log_notice(LD_HEARTBEAT,
-             "DoS mitigation since startup:%s%s%s%s",
+             "DoS mitigation since startup:%s%s%s%s%s",
              circ_stats_msg,
              (cc_msg != NULL) ? cc_msg : " [cc not enabled]",
              (conn_msg != NULL) ? conn_msg : " [conn not enabled]",
-             (single_hop_client_msg != NULL) ? single_hop_client_msg : "");
+             (single_hop_client_msg != NULL) ? single_hop_client_msg : "",
+             (hs_dos_intro2_msg != NULL) ? hs_dos_intro2_msg : "");
 
   tor_free(conn_msg);
   tor_free(cc_msg);
   tor_free(single_hop_client_msg);
   tor_free(circ_stats_msg);
+  tor_free(hs_dos_intro2_msg);
   return;
 }
 
diff --git a/src/feature/hs/hs_dos.c b/src/feature/hs/hs_dos.c
index 81041475e8..d36ee97e6b 100644
--- a/src/feature/hs/hs_dos.c
+++ b/src/feature/hs/hs_dos.c
@@ -206,6 +206,13 @@ hs_dos_can_send_intro2(or_circuit_t *s_intro_circ)
   return true;
 }
 
+/* Return rolling count of rejected INTRO2. */
+uint64_t
+hs_dos_get_intro2_rejected_count(void)
+{
+  return intro2_rejected_count;
+}
+
 /* Initialize the onion service Denial of Service subsystem. */
 void
 hs_dos_init(void)
diff --git a/src/feature/hs/hs_dos.h b/src/feature/hs/hs_dos.h
index ccf4e27179..b9e39aca4e 100644
--- a/src/feature/hs/hs_dos.h
+++ b/src/feature/hs/hs_dos.h
@@ -24,6 +24,9 @@ void hs_dos_consensus_has_changed(const networkstatus_t *ns);
 bool hs_dos_can_send_intro2(or_circuit_t *s_intro_circ);
 void hs_dos_setup_default_intro2_defenses(or_circuit_t *circ);
 
+/* Statistics. */
+uint64_t hs_dos_get_intro2_rejected_count(void);
+
 #ifdef HS_DOS_PRIVATE
 
 #ifdef TOR_UNIT_TESTS
-- 
cgit v1.2.3-54-g00ecf