Add client_ip_max_connections

Given some incentive after deep consideration of the slowloris claims.
While I still do not believe Squid is vulnerable per-se and some people
have tested and found no such failures as claimed for the DoS attack.

We found we could provide better administrative controls.  This is one such
that has been asked about many times and still did not exist. It operates
essentially the same as maxconn ACL, but does not require HTTP headers and
other request data to fully exist like ACLs do.

It is tested immediately after accept() and is request type agnostic, right
down to DNS TCP requests. So care is warranted in hierarchy situations or where
clients may be behind NAT.

Utilizes the client DB to monitor accepted TCP links. Operates prior to
everything so as to eliminate resource usage on the blocking case and
close the windows of opportunity for dribble-attacks etc.

Default (-1) is to keep the status-quo of no limits.

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 56b3cfc196bca62559bffe3286f28fa303190755..03017a5ea2886bb0e53b2992e77a967d6994af25 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -4735,6 +4735,24 @@ accept_filter httpready
 accept_filter data
 DOC_END
 
+NAME: client_ip_max_connections
+TYPE: int
+LOC: Config.client_ip_max_connections
+DEFAULT: -1
+DOC_START
+       Set an absolute limit on the number of connections a single
+       client IP can use. Any more than this and Squid will begin to drop
+       new connections from the client until it closes some links.
+
+       Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
+       connections from the client. For finer control use the ACL access controls.
+
+       Requires client_db to be enabled (the default).
+
+       WARNING: This may noticably slow down traffic received via external proxies
+       or NAT devices and cause them to rebound error messages back to their clients.
+DOC_END
+
 NAME: tcp_recv_bufsize
 COMMENT: (bytes)
 TYPE: b_size_t

diff --git a/src/comm.cc b/src/comm.cc
index 707b53d611917789eab1c637f2700d320fa1b67a..90ed281eb5791486dd6107417ef813ff633bb961 100644 (file)
--- a/src/comm.cc
+++ b/src/comm.cc
@@ -45,6 +45,7 @@
 #include "MemBuf.h"
 #include "pconn.h"
 #include "SquidTime.h"
+#include "protos.h"
 
 #if defined(_SQUID_CYGWIN_)
 #include <sys/ioctl.h>
@@ -1355,6 +1356,13 @@ comm_old_accept(int fd, ConnectionDetail &details)
     Slen = sizeof(details.me);
     memset(&details.me, '\0', Slen);
 
+    if ( Config.client_ip_max_connections >= 0) {
+        if (clientdbEstablished(details.peer, 0) > Config.client_ip_max_connections) {
+            debugs(50, DBG_IMPORTANT, "WARNING: " << inet_ntoa(details.peer.sin_addr) << " attempting more than " << Config.client_ip_max_connections << " connections.");
+            return COMM_ERROR;
+        }
+    }
+
     getsockname(sock, (struct sockaddr *) &details.me, &Slen);
     commSetCloseOnExec(sock);
     /* fdstat update */

diff --git a/src/structs.h b/src/structs.h
index 5ade3dce5e08db7fe3b97caf750ae0b21d71a2fb..0a5104f76d56788e235e01485bb731d3658b6daf 100644 (file)
--- a/src/structs.h
+++ b/src/structs.h
@@ -743,6 +743,7 @@ struct _SquidConfig
 
     char *accept_filter;
     int umask;
+    int client_ip_max_connections;
 };
 
 struct _SquidConfig2