Add client_ip_max_connections

Given some incentive after deep consideration of the slowloris claims.
While I still do not believe Squid is vulnerable per-se and some people
have tested and found no such failures as claimed for the DoS attack.

We found we could provide better administrative controls.  This is one such
that has been asked about many times and still did not exist. It operates
essentially teh same as the maxconn ACL, but does not require HTTP headers
and other request data to fully exist like ACLs do.

It is tested immediately after accept() and is request type agnostic, right
down to DNS TCP requests. So care is warranted in hierarchy situations or where
clients may be behind NAT.

Utilizes the client DB to monitor accepted TCP links. Operates prior to
everything so as to eliminate resource usage on the blocking case and
close the windows of opportunity for dribble-attacks etc.

Default (-1) is to keep the status-quo of no limits.

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 961d8689ec73fb39a7bfcbd2d6667a99f8d7ea84..5df6d78e38920513d206ca7b08e0764248f01381 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -5623,6 +5623,24 @@ accept_filter httpready
 accept_filter data
 DOC_END
 
+NAME: client_ip_max_connections
+TYPE: int
+LOC: Config.client_ip_max_connections
+DEFAULT: -1
+DOC_START
+       Set an absolute limit on the number of connections a single
+       client IP can use. Any more than this and Squid will begin to drop
+       new connections from the client until it closes some links.
+
+       Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
+       connections from the client. For finer control use the ACL access controls.
+
+       Requires client_db to be enabled (the default).
+
+       WARNING: This may noticably slow down traffic received via external proxies
+       or NAT devices and cause them to rebound error messages back to their clients.
+DOC_END
+
 NAME: tcp_recv_bufsize
 COMMENT: (bytes)
 TYPE: b_size_t

diff --git a/src/comm.cc b/src/comm.cc
index 6d6da26ac6cc8ccd35799d374817809bc9eff73c..a0cb55211bffe536c5af3f1799276c12a146210b 100644 (file)
--- a/src/comm.cc
+++ b/src/comm.cc
@@ -48,6 +48,7 @@
 #include "icmp/net_db.h"
 #include "ip/IpAddress.h"
 #include "ip/IpIntercept.h"
+#include "protos.h"
 
 #if defined(_SQUID_CYGWIN_)
 #include <sys/ioctl.h>
@@ -1403,6 +1404,14 @@ comm_old_accept(int fd, ConnectionDetail &details)
 
     details.peer = *gai;
 
+    if ( Config.client_ip_max_connections >= 0) {
+        if (clientdbEstablished(details.peer, 0) > Config.client_ip_max_connections) {
+            debugs(50, DBG_IMPORTANT, "WARNING: " << details.peer << " attempting more than " << Config.client_ip_max_connections << " connections.");
+            details.me.FreeAddrInfo(gai);
+            return COMM_ERROR;
+        }
+    }
+
     details.me.InitAddrInfo(gai);
 
     details.me.SetEmpty();

diff --git a/src/structs.h b/src/structs.h
index 1168c464f63e1cfd5c877744a542fcdba58ecc69..703f40ebb8acf00c72edcc8e6ff859e5feb4c9a8 100644 (file)
--- a/src/structs.h
+++ b/src/structs.h
@@ -625,6 +625,8 @@ struct SquidConfig {
 #if USE_LOADABLE_MODULES
     wordlist *loadable_module_names;
 #endif
+
+    int client_ip_max_connections;
 };
 
 SQUIDCEXTERN SquidConfig Config;