#include "lib/time/compat_time.h"
#include "core/or/cell_queue_st.h"
+#include "core/or/or_connection_st.h"
/* Global lists of channels */
{
tor_addr_t remote_addr;
int started_here;
- time_t now = time(NULL);
int close_origin_circuits = 0;
tor_assert(chan);
circuit_build_times_network_is_live(get_circuit_build_times_mutable());
router_set_status(chan->identity_digest, 1);
} else {
- /* only report it to the geoip module if it's a client */
+ /* only report it to the geoip module if it's a client and it hasn't
+ * already been set up for tracking earlier. (Incoming TLS connections
+ * are tracked before the handshake.) */
if (channel_is_client(chan)) {
if (channel_get_addr_if_possible(chan, &remote_addr)) {
- char *transport_name = NULL;
channel_tls_t *tlschan = BASE_CHAN_TO_TLS(chan);
- if (chan->get_transport_name(chan, &transport_name) < 0)
- transport_name = NULL;
-
- geoip_note_client_seen(GEOIP_CLIENT_CONNECT,
- &remote_addr, transport_name,
- now);
- /* Notify the DoS subsystem of a new client. */
- if (tlschan && tlschan->conn) {
- dos_new_client_conn(tlschan->conn, transport_name);
+ if (!tlschan->conn->tracked_for_dos_mitigation) {
+ char *transport_name = NULL;
+ if (chan->get_transport_name(chan, &transport_name) < 0) {
+ transport_name = NULL;
+ }
+ geoip_note_client_seen(GEOIP_CLIENT_CONNECT,
+ &remote_addr, transport_name,
+ time(NULL));
+ if (tlschan && tlschan->conn) {
+ dos_new_client_conn(tlschan->conn, transport_name);
+ }
+ tor_free(transport_name);
}
- tor_free(transport_name);
}
/* Otherwise the underlying transport can't tell us this, so skip it */
}
#include "core/or/circuitmux.h"
#include "core/or/circuitmux_ewma.h"
#include "core/or/command.h"
+#include "core/or/dos.h"
#include "app/config/config.h"
#include "app/config/resolve_addr.h"
#include "core/mainloop/connection.h"
#include "trunnel/link_handshake.h"
#include "core/or/relay.h"
#include "feature/stats/rephist.h"
+#include "feature/stats/geoip_stats.h"
#include "feature/relay/router.h"
#include "feature/relay/routermode.h"
#include "feature/nodelist/dirlist.h"
/* Register it */
channel_register(chan);
+ /* Start tracking TLS connections in the DoS subsystem as soon as possible,
+ * so we can protect against attacks that use partially open connections.
+ */
+ geoip_note_client_seen(GEOIP_CLIENT_CONNECT,
+ &TO_CONN(orconn)->addr, NULL,
+ time(NULL));
+ dos_new_client_conn(orconn, NULL);
+
return chan;
}
clientmap_entry_t *entry;
tor_assert(or_conn);
+ tor_assert_nonfatal(!or_conn->tracked_for_dos_mitigation);
/* Past that point, we know we have at least one DoS detection subsystem
* enabled so we'll start allocating stuff. */
* the others, we're not.
*/
typedef enum {
- /** We've noticed a connection as a bridge relay or entry guard. */
+ /** An incoming ORPort connection */
GEOIP_CLIENT_CONNECT = 0,
/** We've served a networkstatus consensus as a directory server. */
GEOIP_CLIENT_NETWORKSTATUS = 1,
* second for each connection. */
monotime_coarse_set_mock_time_nsec(monotime_now += BILLION);
update_approx_time(++wallclock_now);
+ or_conn.tracked_for_dos_mitigation = 0;
dos_new_client_conn(&or_conn, NULL);
}
}
dos_conn_addr_get_defense_type(addr));
/* Register another conn and check that new conns are not allowed anymore */
+ or_conn.tracked_for_dos_mitigation = 0;
dos_new_client_conn(&or_conn, NULL);
tt_int_op(DOS_CONN_DEFENSE_CLOSE, OP_EQ,
dos_conn_addr_get_defense_type(addr));
/* Close a client conn and see that a new conn will be permitted again */
dos_close_client_conn(&or_conn);
+ or_conn.tracked_for_dos_mitigation = 0;
tt_int_op(DOS_CONN_DEFENSE_NONE, OP_EQ,
dos_conn_addr_get_defense_type(addr));
* circuit counting subsystem */
geoip_note_client_seen(GEOIP_CLIENT_CONNECT, addr, NULL, now);
for (i = 0; i < min_conc_conns_for_cc ; i++) {
+ or_conn.tracked_for_dos_mitigation = 0;
dos_new_client_conn(&or_conn, NULL);
}
/* Suppose we have 5 connections in rapid succession, the counter should
* always be 0 because we should ignore this. */
dos_new_client_conn(&or_conn, NULL);
+ or_conn.tracked_for_dos_mitigation = 0;
dos_new_client_conn(&or_conn, NULL);
+ or_conn.tracked_for_dos_mitigation = 0;
dos_new_client_conn(&or_conn, NULL);
+ or_conn.tracked_for_dos_mitigation = 0;
dos_new_client_conn(&or_conn, NULL);
+ or_conn.tracked_for_dos_mitigation = 0;
dos_new_client_conn(&or_conn, NULL);
entry = geoip_lookup_client(&TO_CONN(&or_conn)->addr, NULL,
GEOIP_CLIENT_CONNECT);
tor_addr_parse(&TO_CONN(&or_conn)->addr, "42.42.42.43");
geoip_note_client_seen(GEOIP_CLIENT_CONNECT, &TO_CONN(&or_conn)->addr,
NULL, 0);
+ or_conn.tracked_for_dos_mitigation = 0;
dos_new_client_conn(&or_conn, NULL);
+ or_conn.tracked_for_dos_mitigation = 0;
dos_new_client_conn(&or_conn, NULL);
entry = geoip_lookup_client(&TO_CONN(&or_conn)->addr, NULL,
GEOIP_CLIENT_CONNECT);
{ /* Register many conns from this client but not enough to get it blocked */
unsigned int i;
for (i = 0; i < burst_conn - 1; i++) {
+ or_conn.tracked_for_dos_mitigation = 0;
dos_new_client_conn(&or_conn, NULL);
}
}
/* Register another conn and check that new conns are not allowed anymore.
* We should have reached our burst. */
+ or_conn.tracked_for_dos_mitigation = 0;
dos_new_client_conn(&or_conn, NULL);
tt_int_op(DOS_CONN_DEFENSE_CLOSE, OP_EQ,
dos_conn_addr_get_defense_type(addr));
projects / thirdparty / tor.git / commitdiff
