Add client_ip_max_connections

Given some incentive after deep consideration of the slowloris claims.
While I still do not believe Squid is vulnerable per-se and some people
have tested and found no such failures as claimed for the DoS attack.

We found we could provide better administrative controls.  This is one such
that has been asked about many times and still did not exist. It operates
essentially the same as maxconn ACL, but does not require HTTP headers and
other request data to fully exist like ACLs do.

It is tested immediately after accept() and is request type agnostic, right
down to DNS TCP requests. So care is warranted in hierarchy situations or where
clients may be behind NAT.

Utilizes the client DB to monitor accepted TCP links. Operates prior to
everything so as to eliminate resource usage on the blocking case and
close the windows of opportunity for dribble-attacks etc.

Default (-1) is to keep the status-quo of no limits.

diff --git a/src/cf.data.pre b/src/cf.data.pre
index c4bb1388600f23c94ae69d4ab0289165e37bf5f8..b0d072ec57238789ae701bd12864a5b772892613 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -5469,6 +5469,24 @@ accept_filter httpready
 accept_filter data
 DOC_END
 
+NAME: client_ip_max_connections
+TYPE: int
+LOC: Config.client_ip_max_connections
+DEFAULT: -1
+DOC_START
+       Set an absolute limit on the number of connections a single
+       client IP can use. Any more than this and Squid will begin to drop
+       new connections from the client until it closes some links.
+
+       Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
+       connections from the client. For finer control use the ACL access controls.
+
+       Requires client_db to be enabled (the default).
+
+       WARNING: This may noticably slow down traffic received via external proxies
+       or NAT devices and cause them to rebound error messages back to their clients.
+DOC_END
+
 NAME: tcp_recv_bufsize
 COMMENT: (bytes)
 TYPE: b_size_t

diff --git a/src/comm.cc b/src/comm.cc
index e6a9228e6fd52dd24f00015cba7180ee7ae82d1e..a21e8436f31a426295e6aed7100183038fcf4f2e 100644 (file)
--- a/src/comm.cc
+++ b/src/comm.cc
@@ -48,6 +48,7 @@
 #include "icmp/net_db.h"
 #include "ip/IpAddress.h"
 #include "ip/IpIntercept.h"
+#include "protos.h"
 
 #if defined(_SQUID_CYGWIN_)
 #include <sys/ioctl.h>
@@ -1396,6 +1397,14 @@ comm_old_accept(int fd, ConnectionDetail &details)
 
     details.peer = *gai;
 
+    if ( Config.client_ip_max_connections >= 0) {
+        if (clientdbEstablished(details.peer, 0) > Config.client_ip_max_connections) {
+            debugs(50, DBG_IMPORTANT, "WARNING: " << details.peer << " attempting more than " << Config.client_ip_max_connections << " connections.");
+            details.me.FreeAddrInfo(gai);
+            return COMM_ERROR;
+        }
+    }
+
     details.me.InitAddrInfo(gai);
 
     details.me.SetEmpty();

diff --git a/src/structs.h b/src/structs.h
index 05d2d56f7c6d30a7296a0314578d90b6c3bac353..275bb64e227ef66e6fd76196e455daaf292becd2 100644 (file)
--- a/src/structs.h
+++ b/src/structs.h
@@ -618,6 +618,8 @@ struct SquidConfig {
 #if USE_LOADABLE_MODULES
     wordlist *loadable_module_names;
 #endif
+
+    int client_ip_max_connections;
 };
 
 SQUIDCEXTERN SquidConfig Config;