From cd7be492d1b70df50b4e35df5cc595490f912c9a Mon Sep 17 00:00:00 2001 From: David Goulet Date: Thu, 27 Oct 2022 09:54:54 -0400 Subject: relay: Add DoS subsystem stats to MetricsPort Related to #40194 Signed-off-by: David Goulet --- src/core/or/dos.c | 42 +++++++++++++++++++++++++ src/core/or/dos.h | 7 +++++ src/feature/relay/relay_metrics.c | 65 +++++++++++++++++++++++++++++++++++++++ src/feature/relay/relay_metrics.h | 2 ++ 4 files changed, 116 insertions(+) (limited to 'src') diff --git a/src/core/or/dos.c b/src/core/or/dos.c index 560abd7691..5bf7d148d7 100644 --- a/src/core/or/dos.c +++ b/src/core/or/dos.c @@ -581,6 +581,48 @@ dos_is_enabled(void) /* Circuit creation public API. */ +/** Return the number of rejected circuits. */ +uint64_t +dos_get_num_cc_rejected(void) +{ + return cc_num_rejected_cells; +} + +/** Return the number of marked addresses. */ +uint32_t +dos_get_num_cc_marked_addr(void) +{ + return cc_num_marked_addrs; +} + +/** Return the number of marked addresses due to max queue limit reached. */ +uint32_t +dos_get_num_cc_marked_addr_maxq(void) +{ + return cc_num_marked_addrs_max_queue; +} + +/** Return number of concurrent connections rejected. */ +uint64_t +dos_get_num_conn_addr_rejected(void) +{ + return conn_num_addr_rejected; +} + +/** Return the number of connection rejected. */ +uint64_t +dos_get_num_conn_addr_connect_rejected(void) +{ + return conn_num_addr_connect_rejected; +} + +/** Return the number of single hop refused. */ +uint64_t +dos_get_num_single_hop_refused(void) +{ + return num_single_hop_client_refused; +} + /* Called when a CREATE cell is received from the given channel. */ void dos_cc_new_create_cell(channel_t *chan) diff --git a/src/core/or/dos.h b/src/core/or/dos.h index b6412f4280..4a2227f132 100644 --- a/src/core/or/dos.h +++ b/src/core/or/dos.h @@ -84,6 +84,13 @@ int dos_should_refuse_single_hop_client(void); void dos_note_refuse_single_hop_client(void); void dos_note_circ_max_outq(const channel_t *chan); +uint32_t dos_get_num_cc_marked_addr(void); +uint32_t dos_get_num_cc_marked_addr_maxq(void); +uint64_t dos_get_num_cc_rejected(void); +uint64_t dos_get_num_conn_addr_rejected(void); +uint64_t dos_get_num_conn_addr_connect_rejected(void); +uint64_t dos_get_num_single_hop_refused(void); + /* * Circuit creation DoS mitigation subsystemn interface. */ diff --git a/src/feature/relay/relay_metrics.c b/src/feature/relay/relay_metrics.c index 814afa6006..e9f4b68350 100644 --- a/src/feature/relay/relay_metrics.c +++ b/src/feature/relay/relay_metrics.c @@ -13,6 +13,7 @@ #include "core/or/or.h" #include "core/mainloop/connection.h" #include "core/or/congestion_control_common.h" +#include "core/or/dos.h" #include "core/or/relay.h" #include "lib/malloc/malloc.h" @@ -20,6 +21,7 @@ #include "lib/metrics/metrics_store.h" #include "lib/log/util_bug.h" +#include "feature/hs/hs_dos.h" #include "feature/relay/relay_metrics.h" #include "feature/stats/rephist.h" @@ -30,6 +32,7 @@ static void fill_cc_values(void); static void fill_connections_values(void); static void fill_dns_error_values(void); static void fill_dns_query_values(void); +static void fill_dos_values(void); static void fill_global_bw_limit_values(void); static void fill_socket_values(void); static void fill_onionskins_values(void); @@ -113,6 +116,13 @@ static const relay_metrics_entry_t base_metrics[] = .help = "Congestion control related counters", .fill_fn = fill_cc_values, }, + { + .key = RELAY_METRICS_NUM_DOS, + .type = METRICS_TYPE_COUNTER, + .name = METRICS_NAME(relay_dos_total), + .help = "Denial of Service defenses related counters", + .fill_fn = fill_dos_values, + }, }; static const size_t num_base_metrics = ARRAY_LENGTH(base_metrics); @@ -139,6 +149,61 @@ handshake_type_to_str(const uint16_t type) } } +/** Fill function for the RELAY_METRICS_NUM_DOS metric. */ +static void +fill_dos_values(void) +{ + const relay_metrics_entry_t *rentry = &base_metrics[RELAY_METRICS_NUM_DOS]; + metrics_store_entry_t *sentry = + metrics_store_add(the_store, rentry->type, rentry->name, rentry->help); + + metrics_store_entry_add_label(sentry, + metrics_format_label("type", "circuit_rejected")); + metrics_store_entry_update(sentry, dos_get_num_cc_rejected()); + + sentry = metrics_store_add(the_store, rentry->type, rentry->name, + rentry->help); + metrics_store_entry_add_label(sentry, + metrics_format_label("type", "circuit_killed_max_cell")); + metrics_store_entry_update(sentry, stats_n_circ_max_cell_reached); + + sentry = metrics_store_add(the_store, rentry->type, rentry->name, + rentry->help); + metrics_store_entry_add_label(sentry, + metrics_format_label("type", "marked_address")); + metrics_store_entry_update(sentry, dos_get_num_cc_marked_addr()); + + sentry = metrics_store_add(the_store, rentry->type, rentry->name, + rentry->help); + metrics_store_entry_add_label(sentry, + metrics_format_label("type", "marked_address_maxq")); + metrics_store_entry_update(sentry, dos_get_num_cc_marked_addr_maxq()); + + sentry = metrics_store_add(the_store, rentry->type, rentry->name, + rentry->help); + metrics_store_entry_add_label(sentry, + metrics_format_label("type", "conn_rejected")); + metrics_store_entry_update(sentry, dos_get_num_conn_addr_connect_rejected()); + + sentry = metrics_store_add(the_store, rentry->type, rentry->name, + rentry->help); + metrics_store_entry_add_label(sentry, + metrics_format_label("type", "concurrent_conn_rejected")); + metrics_store_entry_update(sentry, dos_get_num_conn_addr_rejected()); + + sentry = metrics_store_add(the_store, rentry->type, rentry->name, + rentry->help); + metrics_store_entry_add_label(sentry, + metrics_format_label("type", "single_hop_refused")); + metrics_store_entry_update(sentry, dos_get_num_single_hop_refused()); + + sentry = metrics_store_add(the_store, rentry->type, rentry->name, + rentry->help); + metrics_store_entry_add_label(sentry, + metrics_format_label("type", "introduce2_rejected")); + metrics_store_entry_update(sentry, hs_dos_get_intro2_rejected_count()); +} + /** Fill function for the RELAY_METRICS_NUM_CC metric. */ static void fill_cc_values(void) diff --git a/src/feature/relay/relay_metrics.h b/src/feature/relay/relay_metrics.h index a594726668..2aa227c9cb 100644 --- a/src/feature/relay/relay_metrics.h +++ b/src/feature/relay/relay_metrics.h @@ -35,6 +35,8 @@ typedef enum { RELAY_METRICS_NUM_STREAMS = 8, /** Congestion control counters. */ RELAY_METRICS_NUM_CC = 9, + /** Denial of Service defenses subsystem. */ + RELAY_METRICS_NUM_DOS = 10, } relay_metrics_key_t; /** The metadata of a relay metric. */ -- cgit v1.2.3-54-g00ecf