| blob | b789f87aaea39ffeeeaade49a9ff037596db2ca8 |
1 /* Copyright (c) 2018-2021, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
4 /*
5 * \file dos.c
6 * \brief Implement Denial of Service mitigation subsystem.
7 */
9 #define DOS_PRIVATE
32 /*
33 * Circuit creation denial of service mitigation.
34 *
35 * Namespace used for this mitigation framework is "dos_cc_" where "cc" is for
36 * Circuit Creation.
37 */
39 /* Is the circuit creation DoS mitigation enabled? */
42 /* Consensus parameters. They can be changed when a new consensus arrives.
43 * They are initialized with the hardcoded default values. */
50 /* Keep some stats for the heartbeat so we can report out. */
55 /*
56 * Concurrent connection denial of service mitigation.
57 *
58 * Namespace used for this mitigation framework is "dos_conn_".
59 */
61 /* Is the connection DoS mitigation enabled? */
64 /* Consensus parameters. They can be changed when a new consensus arrives.
65 * They are initialized with the hardcoded default values. */
71 DOS_CONN_CONNECT_DEFENSE_TIME_PERIOD_DEFAULT;
73 /* Keep some stats for the heartbeat so we can report out. */
77 /** Consensus parameter: How many times a client IP is allowed to hit the
78 * circ_max_cell_queue_size_out limit before being marked. */
81 /*
82 * Stream denial of service mitigation.
83 *
84 * Namespace used for this mitigation framework is "dos_stream_".
85 */
87 /* Is the connection DoS mitigation enabled? */
90 /* Consensus parameters. They can be changed when a new consensus arrives.
91 * They are initialized with the hardcoded default values. */
96 /* Keep some stats for the heartbeat so we can report out. */
99 /*
100 * General interface of the denial of service mitigation subsystem.
101 */
103 /* Keep stats for the heartbeat. */
106 /** Return the consensus parameter for the outbound circ_max_cell_queue_size
107 * limit. */
108 static uint32_t
110 {
111 #define DOS_NUM_CIRC_MAX_OUTQ_DEFAULT 3
112 #define DOS_NUM_CIRC_MAX_OUTQ_MIN 0
113 #define DOS_NUM_CIRC_MAX_OUTQ_MAX INT32_MAX
115 /* Update the circuit max cell queue size from the consensus. */
117 DOS_NUM_CIRC_MAX_OUTQ_DEFAULT,
118 DOS_NUM_CIRC_MAX_OUTQ_MIN,
119 DOS_NUM_CIRC_MAX_OUTQ_MAX);
120 }
122 /* Return true iff the circuit creation mitigation is enabled. We look at the
123 * consensus for this else a default value is returned. */
126 {
129 }
133 }
135 /* Return the parameter for the minimum concurrent connection at which we'll
136 * start counting circuit for a specific client address. */
137 STATIC uint32_t
139 {
142 }
144 DOS_CC_MIN_CONCURRENT_CONN_DEFAULT,
146 }
148 /* Return the parameter for the time rate that is how many circuits over this
149 * time span. */
150 static uint32_t
152 {
153 /* This is in seconds. */
156 }
158 DOS_CC_CIRCUIT_RATE_DEFAULT,
160 }
162 /* Return the parameter for the maximum circuit count for the circuit time
163 * rate. */
164 STATIC uint32_t
166 {
169 }
171 DOS_CC_CIRCUIT_BURST_DEFAULT,
173 }
175 /* Return the consensus parameter of the circuit creation defense type. */
176 static uint32_t
178 {
181 }
183 DOS_CC_DEFENSE_TYPE_DEFAULT,
185 }
187 /* Return the consensus parameter of the defense time period which is how much
188 * time should we defend against a malicious client address. */
189 static int32_t
191 {
192 /* Time in seconds. */
195 }
197 DOS_CC_DEFENSE_TIME_PERIOD_DEFAULT,
199 }
201 /* Return true iff connection mitigation is enabled. We look at the consensus
202 * for this else a default value is returned. */
205 {
208 }
211 }
213 /* Return the consensus parameter for the maximum concurrent connection
214 * allowed. */
215 STATIC uint32_t
217 {
220 }
222 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT,
224 }
226 /* Return the consensus parameter of the connection defense type. */
227 static uint32_t
229 {
232 }
234 DOS_CONN_DEFENSE_TYPE_DEFAULT,
236 }
238 /* Return the connection connect rate parameters either from the configuration
239 * file or, if not found, consensus parameter. */
240 static uint32_t
242 {
245 }
247 DOS_CONN_CONNECT_RATE_DEFAULT,
249 }
251 /* Return the connection connect burst parameters either from the
252 * configuration file or, if not found, consensus parameter. */
253 STATIC uint32_t
255 {
258 }
260 DOS_CONN_CONNECT_BURST_DEFAULT,
262 }
264 /* Return the connection connect defense time period from the configuration
265 * file or, if not found, the consensus parameter. */
266 static int32_t
268 {
269 /* Time in seconds. */
272 }
274 DOS_CONN_CONNECT_DEFENSE_TIME_PERIOD_DEFAULT,
275 DOS_CONN_CONNECT_DEFENSE_TIME_PERIOD_MIN,
276 INT32_MAX);
277 }
279 /* Return true iff the stream creation mitigation is enabled. We look at the
280 * consensus for this else a default value is returned. */
283 {
286 }
290 }
292 /* Return the parameter for the time rate that is how many stream per circuit
293 * over this time span. */
294 static uint32_t
296 {
297 /* This is in seconds. */
300 }
302 DOS_STREAM_RATE_DEFAULT,
304 }
306 /* Return the parameter for the maximum circuit count for the circuit time
307 * rate. */
308 static uint32_t
310 {
313 }
315 DOS_STREAM_BURST_DEFAULT,
317 }
319 /* Return the consensus parameter of the circuit creation defense type. */
320 static uint32_t
322 {
325 }
327 DOS_STREAM_DEFENSE_TYPE_DEFAULT,
328 DOS_STREAM_DEFENSE_NONE,
329 DOS_STREAM_DEFENSE_MAX);
330 }
332 /* Set circuit creation parameters located in the consensus or their default
333 * if none are present. Called at initialization or when the consensus
334 * changes. */
335 static void
337 {
338 /* Get the default consensus param values. */
346 /* Connection detection. */
352 dos_conn_connect_defense_time_period =
355 /* Circuit. */
358 /* Stream. */
363 }
365 /* Free everything for the circuit creation DoS mitigation subsystem. */
366 static void
368 {
369 /* If everything is freed, the circuit creation subsystem is not enabled. */
371 }
373 /* Called when the consensus has changed. Do appropriate actions for the
374 * circuit creation subsystem. */
375 static void
377 {
378 /* Looking at the consensus, is the circuit creation subsystem enabled? If
379 * not and it was enabled before, clean it up. */
382 }
383 }
385 /** Return the number of circuits we allow per second under the current
386 * configuration. */
387 STATIC uint64_t
389 {
391 }
393 /* Given the circuit creation client statistics object, refill the circuit
394 * bucket if needed. This also works if the bucket was never filled in the
395 * first place. The addr is only used for logging purposes. */
396 STATIC void
398 {
410 /* If less than a second has elapsed, don't add any tokens.
411 * Note: If a relay's clock is ever 0, any new clients won't get a refill
412 * until the next second. But a relay that thinks it is 1970 will never
413 * validate the public consensus. */
416 }
418 /* At this point, we know we might need to add token to the bucket. We'll
419 * first get the circuit rate that is how many circuit are we allowed to do
420 * per second. */
423 /* We've never filled the bucket so fill it with the maximum being the burst
424 * and we are done.
425 * Note: If a relay's clock is ever 0, all clients that were last refilled
426 * in that zero second will get a full refill here. */
430 }
432 /* Our clock jumped backward so fill it up to the maximum. Not filling it
433 * could trigger a detection for a valid client. Also, if the clock jumped
434 * negative but we didn't notice until the elapsed time became positive
435 * again, then we potentially spent many seconds not refilling the bucket
436 * when we should have been refilling it. But the fact that we didn't notice
437 * until now means that no circuit creation requests came in during that
438 * time, so the client doesn't end up punished that much from this hopefully
439 * rare situation.*/
441 /* Use the maximum allowed value of token. */
444 }
446 /* How many seconds have elapsed between now and the last refill?
447 * This subtraction can't underflow, because now >= last_refill_ts.
448 * And it can't overflow, because INT64_MAX - (-INT64_MIN) == UINT64_MAX. */
451 /* If the elapsed time is very large, it means our clock jumped forward.
452 * If the multiplication would overflow, use the maximum allowed value. */
456 }
458 /* Compute how many circuits we are allowed in that time frame which we'll
459 * add to the bucket. This can't overflow, because both multiplicands
460 * are less than or equal to UINT32_MAX, and num_token is uint64_t. */
463 end:
464 /* If the sum would overflow, use the maximum allowed value. */
468 /* We cap the bucket to the burst value else this could overflow uint32_t
469 * over time. */
471 dos_cc_circuit_burst);
472 }
474 /* This function is not allowed to make the bucket count larger than the
475 * burst value */
477 /* This function is not allowed to make the bucket count smaller, unless it
478 * is decreasing it to a newly configured, lower burst value. We allow the
479 * bucket to stay the same size, in case the circuit rate is zero. */
492 done:
494 }
496 /* Return true iff the circuit bucket is down to 0 and the number of
497 * concurrent connections is greater or equal the minimum threshold set the
498 * consensus parameter. */
499 static int
501 {
505 }
507 /* Mark client address by setting a timestamp in the stats object which tells
508 * us until when it is marked as positively detected. */
509 static void
511 {
513 /* We add a random offset of a maximum of half the defense time so it is
514 * less predictable. */
518 }
520 /* Return true iff the given channel address is marked as malicious. This is
521 * called a lot and part of the fast path of handling cells. It has to remain
522 * as fast as we can. */
523 static int
525 {
527 tor_addr_t addr;
533 }
534 /* Must be a client connection else we ignore. */
537 }
538 /* Without an IP address, nothing can work. */
541 }
543 /* We are only interested in client connection from the geoip cache. */
546 /* We can have a connection creating circuits but not tracked by the geoip
547 * cache. Once this DoS subsystem is enabled, we can end up here with no
548 * entry for the channel. */
550 }
554 end:
556 }
558 /* Concurrent connection private API. */
560 /* Mark client connection stats by setting a timestamp which tells us until
561 * when it is marked as positively detected. */
562 static void
564 {
567 /* We add a random offset of a maximum of half the defense time so it is
568 * less predictable and thus more difficult to game. */
572 }
574 /* Free everything for the connection DoS mitigation subsystem. */
575 static void
577 {
579 }
581 /* Called when the consensus has changed. Do appropriate actions for the
582 * connection mitigation subsystem. */
583 static void
585 {
586 /* Looking at the consensus, is the connection mitigation subsystem enabled?
587 * If not and it was enabled before, clean it up. */
590 }
591 }
593 /** Called when a new client connection has arrived. The following will update
594 * the client connection statistics.
595 *
596 * The addr is used for logging purposes only.
597 *
598 * If the connect counter reaches its limit, it is marked. */
599 static void
601 {
605 /* Update concurrent count for this new connect. */
608 /* Refill connect connection count. */
612 /* Decrement counter for this new connection. */
615 }
617 /* Assess connect counter. Mark it if counter is down to 0 and we haven't
618 * marked it before or it was reset. This is to avoid to re-mark it over and
619 * over again extending continuously the blocked time. */
623 }
629 }
631 /** Called when a client connection is closed. The following will update
632 * the client connection statistics.
633 *
634 * The addr is used for logging purposes only. */
635 static void
637 {
638 /* Extra super duper safety. Going below 0 means an underflow which could
639 * lead to most likely a false positive. In theory, this should never happen
640 * but let's be extra safe. */
643 }
649 }
651 /* General private API */
653 /* Return true iff we have at least one DoS detection enabled. This is used to
654 * decide if we need to allocate any kind of high level DoS object. */
657 {
659 }
661 /* Circuit creation public API. */
663 /** Return the number of rejected circuits. */
664 uint64_t
666 {
668 }
670 /** Return the number of marked addresses. */
671 uint32_t
673 {
675 }
677 /** Return the number of marked addresses due to max queue limit reached. */
678 uint32_t
680 {
682 }
684 /** Return number of concurrent connections rejected. */
685 uint64_t
687 {
689 }
691 /** Return the number of connection rejected. */
692 uint64_t
694 {
696 }
698 /** Return the number of single hop refused. */
699 uint64_t
701 {
703 }
705 /* Called when a CREATE cell is received from the given channel. */
706 void
708 {
709 tor_addr_t addr;
714 /* Skip everything if not enabled. */
717 }
719 /* Must be a client connection else we ignore. */
722 }
723 /* Without an IP address, nothing can work. */
726 }
728 /* We are only interested in client connection from the geoip cache. */
731 /* We can have a connection creating circuits but not tracked by the geoip
732 * cache. Once this DoS subsystem is enabled, we can end up here with no
733 * entry for the channel. */
735 }
737 /* General comment. Even though the client can already be marked as
738 * malicious, we continue to track statistics. If it keeps going above
739 * threshold while marked, the defense period time will grow longer. There
740 * is really no point at unmarking a client that keeps DoSing us. */
742 /* First of all, we'll try to refill the circuit bucket opportunistically
743 * before we assess. */
746 /* Take a token out of the circuit bucket if we are above 0 so we don't
747 * underflow the bucket. */
750 }
752 /* This is the detection. Assess at every CREATE cell if the client should
753 * get marked as malicious. This should be kept as fast as possible. */
755 /* If this is the first time we mark this entry, log it.
756 * Under heavy DDoS, logging each time we mark would results in lots and
757 * lots of logs. */
761 cc_num_marked_addrs++;
762 }
764 }
766 end:
768 }
770 /* Return the defense type that should be used for this circuit.
771 *
772 * This is part of the fast path and called a lot. */
773 dos_cc_defense_type_t
775 {
778 /* Skip everything if not enabled. */
781 }
783 /* On an OR circuit, we'll check if the previous channel is a marked client
784 * connection detected by our DoS circuit creation mitigation subsystem. */
786 /* We've just assess that this circuit should trigger a defense for the
787 * cell it just seen. Note it down. */
788 cc_num_rejected_cells++;
790 }
792 end:
794 }
796 /* Concurrent connection detection public API. */
798 /* Return true iff the given address is permitted to open another connection.
799 * A defense value is returned for the caller to take appropriate actions. */
800 dos_conn_defense_type_t
802 {
807 /* Skip everything if not enabled. */
810 }
812 /* We are only interested in client connection from the geoip cache. */
816 }
818 /* Is this address marked as making too many client connections? */
820 conn_num_addr_connect_rejected++;
822 }
823 /* Reset it to 0 here so that if the marked timestamp has expired that is
824 * we've gone beyond it, we have to reset it so the detection can mark it
825 * again in the future. */
828 /* Need to be above the maximum concurrent connection count to trigger a
829 * defense. */
831 dos_conn_max_concurrent_count) {
832 conn_num_addr_rejected++;
834 }
836 end:
838 }
840 /* Stream creation public API. */
842 /** Return the number of rejected stream and resolve. */
843 uint64_t
845 {
847 }
849 /* Return the action to take against a BEGIN or RESOLVE cell. Return
850 * DOS_STREAM_DEFENSE_NONE when no action should be taken.
851 * Increment the appropriate counter when the cell was found to go over a
852 * limit. */
853 dos_stream_defense_type_t
855 {
865 }
866 /* if defense type is DOS_STREAM_DEFENSE_NONE but DoSStreamEnabled is true,
867 * we count offending cells as rejected, despite them being actually
868 * accepted. */
871 }
873 /* Initialize the token bucket for stream rate limit on a circuit. */
874 void
876 {
878 dos_stream_burst,
880 }
882 /* General API */
884 /* Take any appropriate actions for the given geoip entry that is about to get
885 * freed. This is called for every entry that is being freed.
886 *
887 * This function will clear out the connection tracked flag if the concurrent
888 * count of the entry is above 0 so if those connections end up being seen by
889 * this subsystem, we won't try to decrement the counter for a new geoip entry
890 * that might have been added after this call for the same address. */
891 void
893 {
896 /* The count is down to 0 meaning no connections right now, we can safely
897 * clear the geoip entry from the cache. */
900 }
902 /* For each connection matching the geoip entry address, we'll clear the
903 * tracked flag because the entry is about to get removed from the geoip
904 * cache. We do not try to decrement if the flag is not set. */
909 CMP_EXACT)) {
911 }
912 }
915 end:
917 }
919 /** A new geoip client entry has been allocated, initialize its DoS object. */
920 void
922 {
925 /* Initialize the connection count counter with the rate and burst
926 * parameters taken either from configuration or consensus.
927 *
928 * We do this even if the DoS connection detection is not enabled because it
929 * can be enabled at runtime and these counters need to be valid. */
933 }
935 /** Note that the given channel has sent outbound the maximum amount of cell
936 * allowed on the next channel. */
937 void
939 {
940 tor_addr_t addr;
945 /* Skip everything if circuit creation defense is disabled. */
948 }
950 /* Must be a client connection else we ignore. */
953 }
954 /* Without an IP address, nothing can work. */
957 }
959 /* We are only interested in client connection from the geoip cache. */
963 }
965 /* Is the client marked? If yes, just ignore. */
968 }
970 /* If max outq parameter is 0, it means disabled, just ignore. */
973 }
977 /* This is the detection. If we have reached the maximum amount of times a
978 * client IP is allowed to reach this limit, mark client. */
980 dos_num_circ_max_outq) {
981 /* Only account for this marked address if this is the first time we block
982 * it else our counter is inflated with non unique entries. */
984 cc_num_marked_addrs_max_queue++;
985 }
990 /* Reset after being marked so once unmarked, we start back clean. */
992 }
994 end:
996 }
998 /* Note down that we've just refused a single hop client. This increments a
999 * counter later used for the heartbeat. */
1000 void
1002 {
1003 num_single_hop_client_refused++;
1004 }
1006 /* Return true iff single hop client connection (ESTABLISH_RENDEZVOUS) should
1007 * be refused. */
1008 int
1010 {
1011 /* If we aren't a public relay, this shouldn't apply to anything. */
1014 }
1018 }
1023 }
1025 /* Log a heartbeat message with some statistics. */
1026 void
1028 {
1031 /* Stats number coming from relay.c append_cell_to_circuit_queue(). */
1034 stats_n_circ_max_cell_reached);
1042 cc_num_marked_addrs_max_queue);
1045 }
1053 conn_num_addr_connect_rejected);
1056 }
1061 num_single_hop_client_refused);
1065 }
1070 stream_num_rejected);
1073 }
1075 /* HS DoS stats. */
1088 }
1090 /* Called when a new client connection has been established on the given
1091 * address. */
1092 void
1094 {
1100 /* Past that point, we know we have at least one DoS detection subsystem
1101 * enabled so we'll start allocating stuff. */
1104 }
1106 /* We are only interested in client connection from the geoip cache. */
1108 GEOIP_CLIENT_CONNECT);
1110 /* Should never happen because we note down the address in the geoip
1111 * cache before this is called. */
1113 }
1115 /* Update stats from this new connect. */
1121 end:
1123 }
1125 /* Called when a client connection for the given IP address has been closed. */
1126 void
1128 {
1133 /* We have to decrement the count on tracked connection only even if the
1134 * subsystem has been disabled at runtime because it might be re-enabled
1135 * after and we need to keep a synchronized counter at all time. */
1138 }
1140 /* We are only interested in client connection from the geoip cache. */
1142 GEOIP_CLIENT_CONNECT);
1144 /* This can happen because we can close a connection before the channel
1145 * got to be noted down in the geoip cache. */
1147 }
1149 /* Update stats from this new close. */
1152 end:
1154 }
1156 /* Called when the consensus has changed. We might have new consensus
1157 * parameters to look at. */
1158 void
1160 {
1161 /* There are two ways to configure this subsystem, one at startup through
1162 * dos_init() which is called when the options are parsed. And this one
1163 * through the consensus. We don't want to enable any DoS mitigation if we
1164 * aren't a public relay. */
1167 }
1172 /* We were already enabled or we just became enabled but either way, set the
1173 * consensus parameters for all subsystems. */
1175 }
1177 /* Return true iff the DoS mitigation subsystem is enabled. */
1178 int
1180 {
1182 }
1184 /* Free everything from the Denial of Service subsystem. */
1185 void
1187 {
1188 /* Free the circuit creation mitigation subsystem. It is safe to do this
1189 * even if it wasn't initialized. */
1192 /* Free the connection mitigation subsystem. It is safe to do this even if
1193 * it wasn't initialized. */
1195 }
1197 /* Initialize the Denial of Service subsystem. */
1198 void
1200 {
1201 /* To initialize, we only need to get the parameters. */
1203 }