/* Copyright (c) 2018-2021, The Tor Project, Inc. */ /* See LICENSE for licensing information */ /* * \file dos.c * \brief Implement Denial of Service mitigation subsystem. */ #define DOS_PRIVATE #include "core/or/or.h" #include "app/config/config.h" #include "core/mainloop/connection.h" #include "core/mainloop/mainloop.h" #include "core/or/channel.h" #include "core/or/connection_or.h" #include "core/or/relay.h" #include "feature/hs/hs_dos.h" #include "feature/nodelist/networkstatus.h" #include "feature/nodelist/nodelist.h" #include "feature/relay/routermode.h" #include "feature/stats/geoip_stats.h" #include "lib/crypt_ops/crypto_rand.h" #include "lib/time/compat_time.h" #include "core/or/dos.h" #include "core/or/dos_sys.h" #include "core/or/dos_options_st.h" #include "core/or/or_connection_st.h" /* * Circuit creation denial of service mitigation. * * Namespace used for this mitigation framework is "dos_cc_" where "cc" is for * Circuit Creation. */ /* Is the circuit creation DoS mitigation enabled? */ static unsigned int dos_cc_enabled = 0; /* Consensus parameters. They can be changed when a new consensus arrives. * They are initialized with the hardcoded default values. */ static uint32_t dos_cc_min_concurrent_conn; static uint32_t dos_cc_circuit_rate; static uint32_t dos_cc_circuit_burst; static dos_cc_defense_type_t dos_cc_defense_type; static int32_t dos_cc_defense_time_period; /* Keep some stats for the heartbeat so we can report out. */ static uint64_t cc_num_rejected_cells; static uint32_t cc_num_marked_addrs; static uint32_t cc_num_marked_addrs_max_queue; /* * Concurrent connection denial of service mitigation. * * Namespace used for this mitigation framework is "dos_conn_". */ /* Is the connection DoS mitigation enabled? */ static unsigned int dos_conn_enabled = 0; /* Consensus parameters. They can be changed when a new consensus arrives. * They are initialized with the hardcoded default values. */ static uint32_t dos_conn_max_concurrent_count; static dos_conn_defense_type_t dos_conn_defense_type; static uint32_t dos_conn_connect_rate = DOS_CONN_CONNECT_RATE_DEFAULT; static uint32_t dos_conn_connect_burst = DOS_CONN_CONNECT_BURST_DEFAULT; static int32_t dos_conn_connect_defense_time_period = DOS_CONN_CONNECT_DEFENSE_TIME_PERIOD_DEFAULT; /* Keep some stats for the heartbeat so we can report out. */ static uint64_t conn_num_addr_rejected; static uint64_t conn_num_addr_connect_rejected; /** Consensus parameter: How many times a client IP is allowed to hit the * circ_max_cell_queue_size_out limit before being marked. */ static uint32_t dos_num_circ_max_outq; /* * Stream denial of service mitigation. * * Namespace used for this mitigation framework is "dos_stream_". */ /* Is the connection DoS mitigation enabled? */ static unsigned int dos_stream_enabled = 0; /* Consensus parameters. They can be changed when a new consensus arrives. * They are initialized with the hardcoded default values. */ static dos_stream_defense_type_t dos_stream_defense_type; static uint32_t dos_stream_rate = DOS_STREAM_RATE_DEFAULT; static uint32_t dos_stream_burst = DOS_STREAM_BURST_DEFAULT; /* Keep some stats for the heartbeat so we can report out. */ static uint64_t stream_num_rejected; /* * General interface of the denial of service mitigation subsystem. */ /* Keep stats for the heartbeat. */ static uint64_t num_single_hop_client_refused; /** Return the consensus parameter for the outbound circ_max_cell_queue_size * limit. */ static uint32_t get_param_dos_num_circ_max_outq(const networkstatus_t *ns) { #define DOS_NUM_CIRC_MAX_OUTQ_DEFAULT 3 #define DOS_NUM_CIRC_MAX_OUTQ_MIN 0 #define DOS_NUM_CIRC_MAX_OUTQ_MAX INT32_MAX /* Update the circuit max cell queue size from the consensus. */ return networkstatus_get_param(ns, "dos_num_circ_max_outq", DOS_NUM_CIRC_MAX_OUTQ_DEFAULT, DOS_NUM_CIRC_MAX_OUTQ_MIN, DOS_NUM_CIRC_MAX_OUTQ_MAX); } /* Return true iff the circuit creation mitigation is enabled. We look at the * consensus for this else a default value is returned. */ MOCK_IMPL(STATIC unsigned int, get_param_cc_enabled, (const networkstatus_t *ns)) { if (dos_get_options()->DoSCircuitCreationEnabled != -1) { return dos_get_options()->DoSCircuitCreationEnabled; } return !!networkstatus_get_param(ns, "DoSCircuitCreationEnabled", DOS_CC_ENABLED_DEFAULT, 0, 1); } /* Return the parameter for the minimum concurrent connection at which we'll * start counting circuit for a specific client address. */ STATIC uint32_t get_param_cc_min_concurrent_connection(const networkstatus_t *ns) { if (dos_get_options()->DoSCircuitCreationMinConnections) { return dos_get_options()->DoSCircuitCreationMinConnections; } return networkstatus_get_param(ns, "DoSCircuitCreationMinConnections", DOS_CC_MIN_CONCURRENT_CONN_DEFAULT, 1, INT32_MAX); } /* Return the parameter for the time rate that is how many circuits over this * time span. */ static uint32_t get_param_cc_circuit_rate(const networkstatus_t *ns) { /* This is in seconds. */ if (dos_get_options()->DoSCircuitCreationRate) { return dos_get_options()->DoSCircuitCreationRate; } return networkstatus_get_param(ns, "DoSCircuitCreationRate", DOS_CC_CIRCUIT_RATE_DEFAULT, 1, INT32_MAX); } /* Return the parameter for the maximum circuit count for the circuit time * rate. */ STATIC uint32_t get_param_cc_circuit_burst(const networkstatus_t *ns) { if (dos_get_options()->DoSCircuitCreationBurst) { return dos_get_options()->DoSCircuitCreationBurst; } return networkstatus_get_param(ns, "DoSCircuitCreationBurst", DOS_CC_CIRCUIT_BURST_DEFAULT, 1, INT32_MAX); } /* Return the consensus parameter of the circuit creation defense type. */ static uint32_t get_param_cc_defense_type(const networkstatus_t *ns) { if (dos_get_options()->DoSCircuitCreationDefenseType) { return dos_get_options()->DoSCircuitCreationDefenseType; } return networkstatus_get_param(ns, "DoSCircuitCreationDefenseType", DOS_CC_DEFENSE_TYPE_DEFAULT, DOS_CC_DEFENSE_NONE, DOS_CC_DEFENSE_MAX); } /* Return the consensus parameter of the defense time period which is how much * time should we defend against a malicious client address. */ static int32_t get_param_cc_defense_time_period(const networkstatus_t *ns) { /* Time in seconds. */ if (dos_get_options()->DoSCircuitCreationDefenseTimePeriod) { return dos_get_options()->DoSCircuitCreationDefenseTimePeriod; } return networkstatus_get_param(ns, "DoSCircuitCreationDefenseTimePeriod", DOS_CC_DEFENSE_TIME_PERIOD_DEFAULT, 0, INT32_MAX); } /* Return true iff connection mitigation is enabled. We look at the consensus * for this else a default value is returned. */ MOCK_IMPL(STATIC unsigned int, get_param_conn_enabled, (const networkstatus_t *ns)) { if (dos_get_options()->DoSConnectionEnabled != -1) { return dos_get_options()->DoSConnectionEnabled; } return !!networkstatus_get_param(ns, "DoSConnectionEnabled", DOS_CONN_ENABLED_DEFAULT, 0, 1); } /* Return the consensus parameter for the maximum concurrent connection * allowed. */ STATIC uint32_t get_param_conn_max_concurrent_count(const networkstatus_t *ns) { if (dos_get_options()->DoSConnectionMaxConcurrentCount) { return dos_get_options()->DoSConnectionMaxConcurrentCount; } return networkstatus_get_param(ns, "DoSConnectionMaxConcurrentCount", DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT, 1, INT32_MAX); } /* Return the consensus parameter of the connection defense type. */ static uint32_t get_param_conn_defense_type(const networkstatus_t *ns) { if (dos_get_options()->DoSConnectionDefenseType) { return dos_get_options()->DoSConnectionDefenseType; } return networkstatus_get_param(ns, "DoSConnectionDefenseType", DOS_CONN_DEFENSE_TYPE_DEFAULT, DOS_CONN_DEFENSE_NONE, DOS_CONN_DEFENSE_MAX); } /* Return the connection connect rate parameters either from the configuration * file or, if not found, consensus parameter. */ static uint32_t get_param_conn_connect_rate(const networkstatus_t *ns) { if (dos_get_options()->DoSConnectionConnectRate) { return dos_get_options()->DoSConnectionConnectRate; } return networkstatus_get_param(ns, "DoSConnectionConnectRate", DOS_CONN_CONNECT_RATE_DEFAULT, 1, INT32_MAX); } /* Return the connection connect burst parameters either from the * configuration file or, if not found, consensus parameter. */ STATIC uint32_t get_param_conn_connect_burst(const networkstatus_t *ns) { if (dos_get_options()->DoSConnectionConnectBurst) { return dos_get_options()->DoSConnectionConnectBurst; } return networkstatus_get_param(ns, "DoSConnectionConnectBurst", DOS_CONN_CONNECT_BURST_DEFAULT, 1, INT32_MAX); } /* Return the connection connect defense time period from the configuration * file or, if not found, the consensus parameter. */ static int32_t get_param_conn_connect_defense_time_period(const networkstatus_t *ns) { /* Time in seconds. */ if (dos_get_options()->DoSConnectionConnectDefenseTimePeriod) { return dos_get_options()->DoSConnectionConnectDefenseTimePeriod; } return networkstatus_get_param(ns, "DoSConnectionConnectDefenseTimePeriod", DOS_CONN_CONNECT_DEFENSE_TIME_PERIOD_DEFAULT, DOS_CONN_CONNECT_DEFENSE_TIME_PERIOD_MIN, INT32_MAX); } /* Return true iff the stream creation mitigation is enabled. We look at the * consensus for this else a default value is returned. */ MOCK_IMPL(STATIC unsigned int, get_param_stream_enabled, (const networkstatus_t *ns)) { if (dos_get_options()->DoSStreamCreationEnabled != -1) { return dos_get_options()->DoSStreamCreationEnabled; } return !!networkstatus_get_param(ns, "DoSStreamCreationEnabled", DOS_STREAM_ENABLED_DEFAULT, 0, 1); } /* Return the parameter for the time rate that is how many stream per circuit * over this time span. */ static uint32_t get_param_stream_rate(const networkstatus_t *ns) { /* This is in seconds. */ if (dos_get_options()->DoSStreamCreationRate) { return dos_get_options()->DoSStreamCreationRate; } return networkstatus_get_param(ns, "DoSStreamCreationRate", DOS_STREAM_RATE_DEFAULT, 1, INT32_MAX); } /* Return the parameter for the maximum circuit count for the circuit time * rate. */ static uint32_t get_param_stream_burst(const networkstatus_t *ns) { if (dos_get_options()->DoSStreamCreationBurst) { return dos_get_options()->DoSStreamCreationBurst; } return networkstatus_get_param(ns, "DoSStreamCreationBurst", DOS_STREAM_BURST_DEFAULT, 1, INT32_MAX); } /* Return the consensus parameter of the circuit creation defense type. */ static uint32_t get_param_stream_defense_type(const networkstatus_t *ns) { if (dos_get_options()->DoSStreamCreationDefenseType) { return dos_get_options()->DoSStreamCreationDefenseType; } return networkstatus_get_param(ns, "DoSStreamCreationDefenseType", DOS_STREAM_DEFENSE_TYPE_DEFAULT, DOS_STREAM_DEFENSE_NONE, DOS_STREAM_DEFENSE_MAX); } /* Set circuit creation parameters located in the consensus or their default * if none are present. Called at initialization or when the consensus * changes. */ static void set_dos_parameters(const networkstatus_t *ns) { /* Get the default consensus param values. */ dos_cc_enabled = get_param_cc_enabled(ns); dos_cc_min_concurrent_conn = get_param_cc_min_concurrent_connection(ns); dos_cc_circuit_rate = get_param_cc_circuit_rate(ns); dos_cc_circuit_burst = get_param_cc_circuit_burst(ns); dos_cc_defense_time_period = get_param_cc_defense_time_period(ns); dos_cc_defense_type = get_param_cc_defense_type(ns); /* Connection detection. */ dos_conn_enabled = get_param_conn_enabled(ns); dos_conn_max_concurrent_count = get_param_conn_max_concurrent_count(ns); dos_conn_defense_type = get_param_conn_defense_type(ns); dos_conn_connect_rate = get_param_conn_connect_rate(ns); dos_conn_connect_burst = get_param_conn_connect_burst(ns); dos_conn_connect_defense_time_period = get_param_conn_connect_defense_time_period(ns); /* Circuit. */ dos_num_circ_max_outq = get_param_dos_num_circ_max_outq(ns); /* Stream. */ dos_stream_enabled = get_param_stream_enabled(ns); dos_stream_defense_type = get_param_stream_defense_type(ns); dos_stream_rate = get_param_stream_rate(ns); dos_stream_burst = get_param_stream_burst(ns); } /* Free everything for the circuit creation DoS mitigation subsystem. */ static void cc_free_all(void) { /* If everything is freed, the circuit creation subsystem is not enabled. */ dos_cc_enabled = 0; } /* Called when the consensus has changed. Do appropriate actions for the * circuit creation subsystem. */ static void cc_consensus_has_changed(const networkstatus_t *ns) { /* Looking at the consensus, is the circuit creation subsystem enabled? If * not and it was enabled before, clean it up. */ if (dos_cc_enabled && !get_param_cc_enabled(ns)) { cc_free_all(); } } /** Return the number of circuits we allow per second under the current * configuration. */ STATIC uint64_t get_circuit_rate_per_second(void) { return dos_cc_circuit_rate; } /* Given the circuit creation client statistics object, refill the circuit * bucket if needed. This also works if the bucket was never filled in the * first place. The addr is only used for logging purposes. */ STATIC void cc_stats_refill_bucket(cc_client_stats_t *stats, const tor_addr_t *addr) { uint32_t new_circuit_bucket_count; uint64_t num_token, elapsed_time_last_refill = 0, circuit_rate = 0; time_t now; int64_t last_refill_ts; tor_assert(stats); tor_assert(addr); now = approx_time(); last_refill_ts = (int64_t)stats->last_circ_bucket_refill_ts; /* If less than a second has elapsed, don't add any tokens. * Note: If a relay's clock is ever 0, any new clients won't get a refill * until the next second. But a relay that thinks it is 1970 will never * validate the public consensus. */ if ((int64_t)now == last_refill_ts) { goto done; } /* At this point, we know we might need to add token to the bucket. We'll * first get the circuit rate that is how many circuit are we allowed to do * per second. */ circuit_rate = get_circuit_rate_per_second(); /* We've never filled the bucket so fill it with the maximum being the burst * and we are done. * Note: If a relay's clock is ever 0, all clients that were last refilled * in that zero second will get a full refill here. */ if (last_refill_ts == 0) { num_token = dos_cc_circuit_burst; goto end; } /* Our clock jumped backward so fill it up to the maximum. Not filling it * could trigger a detection for a valid client. Also, if the clock jumped * negative but we didn't notice until the elapsed time became positive * again, then we potentially spent many seconds not refilling the bucket * when we should have been refilling it. But the fact that we didn't notice * until now means that no circuit creation requests came in during that * time, so the client doesn't end up punished that much from this hopefully * rare situation.*/ if ((int64_t)now < last_refill_ts) { /* Use the maximum allowed value of token. */ num_token = dos_cc_circuit_burst; goto end; } /* How many seconds have elapsed between now and the last refill? * This subtraction can't underflow, because now >= last_refill_ts. * And it can't overflow, because INT64_MAX - (-INT64_MIN) == UINT64_MAX. */ elapsed_time_last_refill = (uint64_t)now - last_refill_ts; /* If the elapsed time is very large, it means our clock jumped forward. * If the multiplication would overflow, use the maximum allowed value. */ if (elapsed_time_last_refill > UINT32_MAX) { num_token = dos_cc_circuit_burst; goto end; } /* Compute how many circuits we are allowed in that time frame which we'll * add to the bucket. This can't overflow, because both multiplicands * are less than or equal to UINT32_MAX, and num_token is uint64_t. */ num_token = elapsed_time_last_refill * circuit_rate; end: /* If the sum would overflow, use the maximum allowed value. */ if (num_token > UINT32_MAX - stats->circuit_bucket) { new_circuit_bucket_count = dos_cc_circuit_burst; } else { /* We cap the bucket to the burst value else this could overflow uint32_t * over time. */ new_circuit_bucket_count = MIN(stats->circuit_bucket + (uint32_t)num_token, dos_cc_circuit_burst); } /* This function is not allowed to make the bucket count larger than the * burst value */ tor_assert_nonfatal(new_circuit_bucket_count <= dos_cc_circuit_burst); /* This function is not allowed to make the bucket count smaller, unless it * is decreasing it to a newly configured, lower burst value. We allow the * bucket to stay the same size, in case the circuit rate is zero. */ tor_assert_nonfatal(new_circuit_bucket_count >= stats->circuit_bucket || new_circuit_bucket_count == dos_cc_circuit_burst); log_debug(LD_DOS, "DoS address %s has its circuit bucket value: %" PRIu32 ". Filling it to %" PRIu32 ". Circuit rate is %" PRIu64 ". Elapsed time is %" PRIi64, fmt_addr(addr), stats->circuit_bucket, new_circuit_bucket_count, circuit_rate, (int64_t)elapsed_time_last_refill); stats->circuit_bucket = new_circuit_bucket_count; stats->last_circ_bucket_refill_ts = now; done: return; } /* Return true iff the circuit bucket is down to 0 and the number of * concurrent connections is greater or equal the minimum threshold set the * consensus parameter. */ static int cc_has_exhausted_circuits(const dos_client_stats_t *stats) { tor_assert(stats); return stats->cc_stats.circuit_bucket == 0 && stats->conn_stats.concurrent_count >= dos_cc_min_concurrent_conn; } /* Mark client address by setting a timestamp in the stats object which tells * us until when it is marked as positively detected. */ static void cc_mark_client(cc_client_stats_t *stats) { tor_assert(stats); /* We add a random offset of a maximum of half the defense time so it is * less predictable. */ stats->marked_until_ts = approx_time() + dos_cc_defense_time_period + crypto_rand_int_range(1, dos_cc_defense_time_period / 2); } /* Return true iff the given channel address is marked as malicious. This is * called a lot and part of the fast path of handling cells. It has to remain * as fast as we can. */ static int cc_channel_addr_is_marked(channel_t *chan) { time_t now; tor_addr_t addr; clientmap_entry_t *entry; cc_client_stats_t *stats = NULL; if (chan == NULL) { goto end; } /* Must be a client connection else we ignore. */ if (!channel_is_client(chan)) { goto end; } /* Without an IP address, nothing can work. */ if (!channel_get_addr_if_possible(chan, &addr)) { goto end; } /* We are only interested in client connection from the geoip cache. */ entry = geoip_lookup_client(&addr, NULL, GEOIP_CLIENT_CONNECT); if (entry == NULL) { /* We can have a connection creating circuits but not tracked by the geoip * cache. Once this DoS subsystem is enabled, we can end up here with no * entry for the channel. */ goto end; } now = approx_time(); stats = &entry->dos_stats.cc_stats; end: return stats && stats->marked_until_ts >= now; } /* Concurrent connection private API. */ /* Mark client connection stats by setting a timestamp which tells us until * when it is marked as positively detected. */ static void conn_mark_client(conn_client_stats_t *stats) { tor_assert(stats); /* We add a random offset of a maximum of half the defense time so it is * less predictable and thus more difficult to game. */ stats->marked_until_ts = approx_time() + dos_conn_connect_defense_time_period + crypto_rand_int_range(1, dos_conn_connect_defense_time_period / 2); } /* Free everything for the connection DoS mitigation subsystem. */ static void conn_free_all(void) { dos_conn_enabled = 0; } /* Called when the consensus has changed. Do appropriate actions for the * connection mitigation subsystem. */ static void conn_consensus_has_changed(const networkstatus_t *ns) { /* Looking at the consensus, is the connection mitigation subsystem enabled? * If not and it was enabled before, clean it up. */ if (dos_conn_enabled && !get_param_conn_enabled(ns)) { conn_free_all(); } } /** Called when a new client connection has arrived. The following will update * the client connection statistics. * * The addr is used for logging purposes only. * * If the connect counter reaches its limit, it is marked. */ static void conn_update_on_connect(conn_client_stats_t *stats, const tor_addr_t *addr) { tor_assert(stats); tor_assert(addr); /* Update concurrent count for this new connect. */ stats->concurrent_count++; /* Refill connect connection count. */ token_bucket_ctr_refill(&stats->connect_count, (uint32_t) monotime_coarse_absolute_sec()); /* Decrement counter for this new connection. */ if (token_bucket_ctr_get(&stats->connect_count) > 0) { token_bucket_ctr_dec(&stats->connect_count, 1); } /* Assess connect counter. Mark it if counter is down to 0 and we haven't * marked it before or it was reset. This is to avoid to re-mark it over and * over again extending continuously the blocked time. */ if (token_bucket_ctr_get(&stats->connect_count) == 0 && stats->marked_until_ts == 0) { conn_mark_client(stats); } log_debug(LD_DOS, "Client address %s has now %u concurrent connections. " "Remaining %" TOR_PRIuSZ "/sec connections are allowed.", fmt_addr(addr), stats->concurrent_count, token_bucket_ctr_get(&stats->connect_count)); } /** Called when a client connection is closed. The following will update * the client connection statistics. * * The addr is used for logging purposes only. */ static void conn_update_on_close(conn_client_stats_t *stats, const tor_addr_t *addr) { /* Extra super duper safety. Going below 0 means an underflow which could * lead to most likely a false positive. In theory, this should never happen * but let's be extra safe. */ if (BUG(stats->concurrent_count == 0)) { return; } stats->concurrent_count--; log_debug(LD_DOS, "Client address %s has lost a connection. Concurrent " "connections are now at %u", fmt_addr(addr), stats->concurrent_count); } /* General private API */ /* Return true iff we have at least one DoS detection enabled. This is used to * decide if we need to allocate any kind of high level DoS object. */ static inline int dos_is_enabled(void) { return (dos_cc_enabled || dos_conn_enabled); } /* Circuit creation public API. */ /** Return the number of rejected circuits. */ uint64_t dos_get_num_cc_rejected(void) { return cc_num_rejected_cells; } /** Return the number of marked addresses. */ uint32_t dos_get_num_cc_marked_addr(void) { return cc_num_marked_addrs; } /** Return the number of marked addresses due to max queue limit reached. */ uint32_t dos_get_num_cc_marked_addr_maxq(void) { return cc_num_marked_addrs_max_queue; } /** Return number of concurrent connections rejected. */ uint64_t dos_get_num_conn_addr_rejected(void) { return conn_num_addr_rejected; } /** Return the number of connection rejected. */ uint64_t dos_get_num_conn_addr_connect_rejected(void) { return conn_num_addr_connect_rejected; } /** Return the number of single hop refused. */ uint64_t dos_get_num_single_hop_refused(void) { return num_single_hop_client_refused; } /* Called when a CREATE cell is received from the given channel. */ void dos_cc_new_create_cell(channel_t *chan) { tor_addr_t addr; clientmap_entry_t *entry; tor_assert(chan); /* Skip everything if not enabled. */ if (!dos_cc_enabled) { goto end; } /* Must be a client connection else we ignore. */ if (!channel_is_client(chan)) { goto end; } /* Without an IP address, nothing can work. */ if (!channel_get_addr_if_possible(chan, &addr)) { goto end; } /* We are only interested in client connection from the geoip cache. */ entry = geoip_lookup_client(&addr, NULL, GEOIP_CLIENT_CONNECT); if (entry == NULL) { /* We can have a connection creating circuits but not tracked by the geoip * cache. Once this DoS subsystem is enabled, we can end up here with no * entry for the channel. */ goto end; } /* General comment. Even though the client can already be marked as * malicious, we continue to track statistics. If it keeps going above * threshold while marked, the defense period time will grow longer. There * is really no point at unmarking a client that keeps DoSing us. */ /* First of all, we'll try to refill the circuit bucket opportunistically * before we assess. */ cc_stats_refill_bucket(&entry->dos_stats.cc_stats, &addr); /* Take a token out of the circuit bucket if we are above 0 so we don't * underflow the bucket. */ if (entry->dos_stats.cc_stats.circuit_bucket > 0) { entry->dos_stats.cc_stats.circuit_bucket--; } /* This is the detection. Assess at every CREATE cell if the client should * get marked as malicious. This should be kept as fast as possible. */ if (cc_has_exhausted_circuits(&entry->dos_stats)) { /* If this is the first time we mark this entry, log it. * Under heavy DDoS, logging each time we mark would results in lots and * lots of logs. */ if (entry->dos_stats.cc_stats.marked_until_ts == 0) { log_debug(LD_DOS, "Detected circuit creation DoS by address: %s", fmt_addr(&addr)); cc_num_marked_addrs++; } cc_mark_client(&entry->dos_stats.cc_stats); } end: return; } /* Return the defense type that should be used for this circuit. * * This is part of the fast path and called a lot. */ dos_cc_defense_type_t dos_cc_get_defense_type(channel_t *chan) { tor_assert(chan); /* Skip everything if not enabled. */ if (!dos_cc_enabled) { goto end; } /* On an OR circuit, we'll check if the previous channel is a marked client * connection detected by our DoS circuit creation mitigation subsystem. */ if (cc_channel_addr_is_marked(chan)) { /* We've just assess that this circuit should trigger a defense for the * cell it just seen. Note it down. */ cc_num_rejected_cells++; return dos_cc_defense_type; } end: return DOS_CC_DEFENSE_NONE; } /* Concurrent connection detection public API. */ /* Return true iff the given address is permitted to open another connection. * A defense value is returned for the caller to take appropriate actions. */ dos_conn_defense_type_t dos_conn_addr_get_defense_type(const tor_addr_t *addr) { clientmap_entry_t *entry; tor_assert(addr); /* Skip everything if not enabled. */ if (!dos_conn_enabled) { goto end; } /* We are only interested in client connection from the geoip cache. */ entry = geoip_lookup_client(addr, NULL, GEOIP_CLIENT_CONNECT); if (entry == NULL) { goto end; } /* Is this address marked as making too many client connections? */ if (entry->dos_stats.conn_stats.marked_until_ts >= approx_time()) { conn_num_addr_connect_rejected++; return dos_conn_defense_type; } /* Reset it to 0 here so that if the marked timestamp has expired that is * we've gone beyond it, we have to reset it so the detection can mark it * again in the future. */ entry->dos_stats.conn_stats.marked_until_ts = 0; /* Need to be above the maximum concurrent connection count to trigger a * defense. */ if (entry->dos_stats.conn_stats.concurrent_count > dos_conn_max_concurrent_count) { conn_num_addr_rejected++; return dos_conn_defense_type; } end: return DOS_CONN_DEFENSE_NONE; } /* Stream creation public API. */ /** Return the number of rejected stream and resolve. */ uint64_t dos_get_num_stream_rejected(void) { return stream_num_rejected; } /* Return the action to take against a BEGIN or RESOLVE cell. Return * DOS_STREAM_DEFENSE_NONE when no action should be taken. * Increment the appropriate counter when the cell was found to go over a * limit. */ dos_stream_defense_type_t dos_stream_new_begin_or_resolve_cell(or_circuit_t *circ) { if (!dos_stream_enabled || circ == NULL) return DOS_STREAM_DEFENSE_NONE; token_bucket_ctr_refill(&circ->stream_limiter, (uint32_t) monotime_coarse_absolute_sec()); if (token_bucket_ctr_get(&circ->stream_limiter) > 0) { token_bucket_ctr_dec(&circ->stream_limiter, 1); return DOS_STREAM_DEFENSE_NONE; } /* if defense type is DOS_STREAM_DEFENSE_NONE but DoSStreamEnabled is true, * we count offending cells as rejected, despite them being actually * accepted. */ ++stream_num_rejected; return dos_stream_defense_type; } /* Initialize the token bucket for stream rate limit on a circuit. */ void dos_stream_init_circ_tbf(or_circuit_t *circ) { token_bucket_ctr_init(&circ->stream_limiter, dos_stream_rate, dos_stream_burst, (uint32_t) monotime_coarse_absolute_sec()); } /* General API */ /* Take any appropriate actions for the given geoip entry that is about to get * freed. This is called for every entry that is being freed. * * This function will clear out the connection tracked flag if the concurrent * count of the entry is above 0 so if those connections end up being seen by * this subsystem, we won't try to decrement the counter for a new geoip entry * that might have been added after this call for the same address. */ void dos_geoip_entry_about_to_free(const clientmap_entry_t *geoip_ent) { tor_assert(geoip_ent); /* The count is down to 0 meaning no connections right now, we can safely * clear the geoip entry from the cache. */ if (geoip_ent->dos_stats.conn_stats.concurrent_count == 0) { goto end; } /* For each connection matching the geoip entry address, we'll clear the * tracked flag because the entry is about to get removed from the geoip * cache. We do not try to decrement if the flag is not set. */ SMARTLIST_FOREACH_BEGIN(get_connection_array(), connection_t *, conn) { if (conn->type == CONN_TYPE_OR) { or_connection_t *or_conn = TO_OR_CONN(conn); if (!tor_addr_compare(&geoip_ent->addr, &TO_CONN(or_conn)->addr, CMP_EXACT)) { or_conn->tracked_for_dos_mitigation = 0; } } } SMARTLIST_FOREACH_END(conn); end: return; } /** A new geoip client entry has been allocated, initialize its DoS object. */ void dos_geoip_entry_init(clientmap_entry_t *geoip_ent) { tor_assert(geoip_ent); /* Initialize the connection count counter with the rate and burst * parameters taken either from configuration or consensus. * * We do this even if the DoS connection detection is not enabled because it * can be enabled at runtime and these counters need to be valid. */ token_bucket_ctr_init(&geoip_ent->dos_stats.conn_stats.connect_count, dos_conn_connect_rate, dos_conn_connect_burst, (uint32_t) monotime_coarse_absolute_sec()); } /** Note that the given channel has sent outbound the maximum amount of cell * allowed on the next channel. */ void dos_note_circ_max_outq(const channel_t *chan) { tor_addr_t addr; clientmap_entry_t *entry; tor_assert(chan); /* Skip everything if circuit creation defense is disabled. */ if (!dos_cc_enabled) { goto end; } /* Must be a client connection else we ignore. */ if (!channel_is_client(chan)) { goto end; } /* Without an IP address, nothing can work. */ if (!channel_get_addr_if_possible(chan, &addr)) { goto end; } /* We are only interested in client connection from the geoip cache. */ entry = geoip_lookup_client(&addr, NULL, GEOIP_CLIENT_CONNECT); if (entry == NULL) { goto end; } /* Is the client marked? If yes, just ignore. */ if (entry->dos_stats.cc_stats.marked_until_ts >= approx_time()) { goto end; } /* If max outq parameter is 0, it means disabled, just ignore. */ if (dos_num_circ_max_outq == 0) { goto end; } entry->dos_stats.num_circ_max_cell_queue_size++; /* This is the detection. If we have reached the maximum amount of times a * client IP is allowed to reach this limit, mark client. */ if (entry->dos_stats.num_circ_max_cell_queue_size >= dos_num_circ_max_outq) { /* Only account for this marked address if this is the first time we block * it else our counter is inflated with non unique entries. */ if (entry->dos_stats.cc_stats.marked_until_ts == 0) { cc_num_marked_addrs_max_queue++; } log_info(LD_DOS, "Detected outbound max circuit queue from addr: %s", fmt_addr(&addr)); cc_mark_client(&entry->dos_stats.cc_stats); /* Reset after being marked so once unmarked, we start back clean. */ entry->dos_stats.num_circ_max_cell_queue_size = 0; } end: return; } /* Note down that we've just refused a single hop client. This increments a * counter later used for the heartbeat. */ void dos_note_refuse_single_hop_client(void) { num_single_hop_client_refused++; } /* Return true iff single hop client connection (ESTABLISH_RENDEZVOUS) should * be refused. */ int dos_should_refuse_single_hop_client(void) { /* If we aren't a public relay, this shouldn't apply to anything. */ if (!public_server_mode(get_options())) { return 0; } if (dos_get_options()->DoSRefuseSingleHopClientRendezvous != -1) { return dos_get_options()->DoSRefuseSingleHopClientRendezvous; } return (int) networkstatus_get_param(NULL, "DoSRefuseSingleHopClientRendezvous", 0 /* default */, 0, 1); } /* Log a heartbeat message with some statistics. */ void dos_log_heartbeat(void) { smartlist_t *elems = smartlist_new(); /* Stats number coming from relay.c append_cell_to_circuit_queue(). */ smartlist_add_asprintf(elems, "%" PRIu64 " circuits killed with too many cells", stats_n_circ_max_cell_reached); if (dos_cc_enabled) { smartlist_add_asprintf(elems, "%" PRIu64 " circuits rejected, " "%" PRIu32 " marked addresses, " "%" PRIu32 " marked addresses for max queue", cc_num_rejected_cells, cc_num_marked_addrs, cc_num_marked_addrs_max_queue); } else { smartlist_add_asprintf(elems, "[DoSCircuitCreationEnabled disabled]"); } if (dos_conn_enabled) { smartlist_add_asprintf(elems, "%" PRIu64 " same address concurrent " "connections rejected", conn_num_addr_rejected); smartlist_add_asprintf(elems, "%" PRIu64 " connections rejected", conn_num_addr_connect_rejected); } else { smartlist_add_asprintf(elems, "[DoSConnectionEnabled disabled]"); } if (dos_should_refuse_single_hop_client()) { smartlist_add_asprintf(elems, "%" PRIu64 " single hop clients refused", num_single_hop_client_refused); } else { smartlist_add_asprintf(elems, "[DoSRefuseSingleHopClientRendezvous disabled]"); } if (dos_stream_enabled) { smartlist_add_asprintf(elems, "%" PRIu64 " stream rejected", stream_num_rejected); } else { smartlist_add_asprintf(elems, "[DoSStreamCreationEnabled disabled]"); } /* HS DoS stats. */ smartlist_add_asprintf(elems, "%" PRIu64 " INTRODUCE2 rejected", hs_dos_get_intro2_rejected_count()); char *msg = smartlist_join_strings(elems, ", ", 0, NULL); log_notice(LD_HEARTBEAT, "Heartbeat: DoS mitigation since startup: %s.", msg); tor_free(msg); SMARTLIST_FOREACH(elems, char *, e, tor_free(e)); smartlist_free(elems); } /* Called when a new client connection has been established on the given * address. */ void dos_new_client_conn(or_connection_t *or_conn, const char *transport_name) { clientmap_entry_t *entry; tor_assert(or_conn); tor_assert_nonfatal(!or_conn->tracked_for_dos_mitigation); /* Past that point, we know we have at least one DoS detection subsystem * enabled so we'll start allocating stuff. */ if (!dos_is_enabled()) { goto end; } /* We are only interested in client connection from the geoip cache. */ entry = geoip_lookup_client(&TO_CONN(or_conn)->addr, transport_name, GEOIP_CLIENT_CONNECT); if (BUG(entry == NULL)) { /* Should never happen because we note down the address in the geoip * cache before this is called. */ goto end; } /* Update stats from this new connect. */ conn_update_on_connect(&entry->dos_stats.conn_stats, &TO_CONN(or_conn)->addr); or_conn->tracked_for_dos_mitigation = 1; end: return; } /* Called when a client connection for the given IP address has been closed. */ void dos_close_client_conn(const or_connection_t *or_conn) { clientmap_entry_t *entry; tor_assert(or_conn); /* We have to decrement the count on tracked connection only even if the * subsystem has been disabled at runtime because it might be re-enabled * after and we need to keep a synchronized counter at all time. */ if (!or_conn->tracked_for_dos_mitigation) { goto end; } /* We are only interested in client connection from the geoip cache. */ entry = geoip_lookup_client(&TO_CONN(or_conn)->addr, NULL, GEOIP_CLIENT_CONNECT); if (entry == NULL) { /* This can happen because we can close a connection before the channel * got to be noted down in the geoip cache. */ goto end; } /* Update stats from this new close. */ conn_update_on_close(&entry->dos_stats.conn_stats, &TO_CONN(or_conn)->addr); end: return; } /* Called when the consensus has changed. We might have new consensus * parameters to look at. */ void dos_consensus_has_changed(const networkstatus_t *ns) { /* There are two ways to configure this subsystem, one at startup through * dos_init() which is called when the options are parsed. And this one * through the consensus. We don't want to enable any DoS mitigation if we * aren't a public relay. */ if (!public_server_mode(get_options())) { return; } cc_consensus_has_changed(ns); conn_consensus_has_changed(ns); /* We were already enabled or we just became enabled but either way, set the * consensus parameters for all subsystems. */ set_dos_parameters(ns); } /* Return true iff the DoS mitigation subsystem is enabled. */ int dos_enabled(void) { return dos_is_enabled(); } /* Free everything from the Denial of Service subsystem. */ void dos_free_all(void) { /* Free the circuit creation mitigation subsystem. It is safe to do this * even if it wasn't initialized. */ cc_free_all(); /* Free the connection mitigation subsystem. It is safe to do this even if * it wasn't initialized. */ conn_free_all(); } /* Initialize the Denial of Service subsystem. */ void dos_init(void) { /* To initialize, we only need to get the parameters. */ set_dos_parameters(NULL); }