| blob | b00863c118232cff9e79fb4e6bde89087a1acfa1 |
1 /* Copyright (c) 2018-2020, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
4 /*
5 * \file dos.c
6 * \brief Implement Denial of Service mitigation subsystem.
7 */
9 #define DOS_PRIVATE
31 /*
32 * Circuit creation denial of service mitigation.
33 *
34 * Namespace used for this mitigation framework is "dos_cc_" where "cc" is for
35 * Circuit Creation.
36 */
38 /* Is the circuit creation DoS mitigation enabled? */
41 /* Consensus parameters. They can be changed when a new consensus arrives.
42 * They are initialized with the hardcoded default values. */
49 /* Keep some stats for the heartbeat so we can report out. */
53 /*
54 * Concurrent connection denial of service mitigation.
55 *
56 * Namespace used for this mitigation framework is "dos_conn_".
57 */
59 /* Is the connection DoS mitigation enabled? */
62 /* Consensus parameters. They can be changed when a new consensus arrives.
63 * They are initialized with the hardcoded default values. */
69 DOS_CONN_CONNECT_DEFENSE_TIME_PERIOD_DEFAULT;
71 /* Keep some stats for the heartbeat so we can report out. */
75 /*
76 * General interface of the denial of service mitigation subsystem.
77 */
79 /* Keep stats for the heartbeat. */
82 /* Return true iff the circuit creation mitigation is enabled. We look at the
83 * consensus for this else a default value is returned. */
86 {
89 }
93 }
95 /* Return the parameter for the minimum concurrent connection at which we'll
96 * start counting circuit for a specific client address. */
97 STATIC uint32_t
99 {
102 }
104 DOS_CC_MIN_CONCURRENT_CONN_DEFAULT,
106 }
108 /* Return the parameter for the time rate that is how many circuits over this
109 * time span. */
110 static uint32_t
112 {
113 /* This is in seconds. */
116 }
118 DOS_CC_CIRCUIT_RATE_DEFAULT,
120 }
122 /* Return the parameter for the maximum circuit count for the circuit time
123 * rate. */
124 STATIC uint32_t
126 {
129 }
131 DOS_CC_CIRCUIT_BURST_DEFAULT,
133 }
135 /* Return the consensus parameter of the circuit creation defense type. */
136 static uint32_t
138 {
141 }
143 DOS_CC_DEFENSE_TYPE_DEFAULT,
145 }
147 /* Return the consensus parameter of the defense time period which is how much
148 * time should we defend against a malicious client address. */
149 static int32_t
151 {
152 /* Time in seconds. */
155 }
157 DOS_CC_DEFENSE_TIME_PERIOD_DEFAULT,
159 }
161 /* Return true iff connection mitigation is enabled. We look at the consensus
162 * for this else a default value is returned. */
165 {
168 }
171 }
173 /* Return the consensus parameter for the maximum concurrent connection
174 * allowed. */
175 STATIC uint32_t
177 {
180 }
182 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT,
184 }
186 /* Return the consensus parameter of the connection defense type. */
187 static uint32_t
189 {
192 }
194 DOS_CONN_DEFENSE_TYPE_DEFAULT,
196 }
198 /* Return the connection connect rate parameters either from the configuration
199 * file or, if not found, consensus parameter. */
200 static uint32_t
202 {
205 }
207 DOS_CONN_CONNECT_RATE_DEFAULT,
209 }
211 /* Return the connection connect burst parameters either from the
212 * configuration file or, if not found, consensus parameter. */
213 STATIC uint32_t
215 {
218 }
220 DOS_CONN_CONNECT_BURST_DEFAULT,
222 }
224 /* Return the connection connect defense time period from the configuration
225 * file or, if not found, the consensus parameter. */
226 static int32_t
228 {
229 /* Time in seconds. */
232 }
234 DOS_CONN_CONNECT_DEFENSE_TIME_PERIOD_DEFAULT,
235 DOS_CONN_CONNECT_DEFENSE_TIME_PERIOD_MIN,
236 INT32_MAX);
237 }
239 /* Set circuit creation parameters located in the consensus or their default
240 * if none are present. Called at initialization or when the consensus
241 * changes. */
242 static void
244 {
245 /* Get the default consensus param values. */
253 /* Connection detection. */
259 dos_conn_connect_defense_time_period =
261 }
263 /* Free everything for the circuit creation DoS mitigation subsystem. */
264 static void
266 {
267 /* If everything is freed, the circuit creation subsystem is not enabled. */
269 }
271 /* Called when the consensus has changed. Do appropriate actions for the
272 * circuit creation subsystem. */
273 static void
275 {
276 /* Looking at the consensus, is the circuit creation subsystem enabled? If
277 * not and it was enabled before, clean it up. */
280 }
281 }
283 /** Return the number of circuits we allow per second under the current
284 * configuration. */
285 STATIC uint64_t
287 {
289 }
291 /* Given the circuit creation client statistics object, refill the circuit
292 * bucket if needed. This also works if the bucket was never filled in the
293 * first place. The addr is only used for logging purposes. */
294 STATIC void
296 {
308 /* If less than a second has elapsed, don't add any tokens.
309 * Note: If a relay's clock is ever 0, any new clients won't get a refill
310 * until the next second. But a relay that thinks it is 1970 will never
311 * validate the public consensus. */
314 }
316 /* At this point, we know we might need to add token to the bucket. We'll
317 * first get the circuit rate that is how many circuit are we allowed to do
318 * per second. */
321 /* We've never filled the bucket so fill it with the maximum being the burst
322 * and we are done.
323 * Note: If a relay's clock is ever 0, all clients that were last refilled
324 * in that zero second will get a full refill here. */
328 }
330 /* Our clock jumped backward so fill it up to the maximum. Not filling it
331 * could trigger a detection for a valid client. Also, if the clock jumped
332 * negative but we didn't notice until the elapsed time became positive
333 * again, then we potentially spent many seconds not refilling the bucket
334 * when we should have been refilling it. But the fact that we didn't notice
335 * until now means that no circuit creation requests came in during that
336 * time, so the client doesn't end up punished that much from this hopefully
337 * rare situation.*/
339 /* Use the maximum allowed value of token. */
342 }
344 /* How many seconds have elapsed between now and the last refill?
345 * This subtraction can't underflow, because now >= last_refill_ts.
346 * And it can't overflow, because INT64_MAX - (-INT64_MIN) == UINT64_MAX. */
349 /* If the elapsed time is very large, it means our clock jumped forward.
350 * If the multiplication would overflow, use the maximum allowed value. */
354 }
356 /* Compute how many circuits we are allowed in that time frame which we'll
357 * add to the bucket. This can't overflow, because both multiplicands
358 * are less than or equal to UINT32_MAX, and num_token is uint64_t. */
361 end:
362 /* If the sum would overflow, use the maximum allowed value. */
366 /* We cap the bucket to the burst value else this could overflow uint32_t
367 * over time. */
369 dos_cc_circuit_burst);
370 }
372 /* This function is not allowed to make the bucket count larger than the
373 * burst value */
375 /* This function is not allowed to make the bucket count smaller, unless it
376 * is decreasing it to a newly configured, lower burst value. We allow the
377 * bucket to stay the same size, in case the circuit rate is zero. */
390 done:
392 }
394 /* Return true iff the circuit bucket is down to 0 and the number of
395 * concurrent connections is greater or equal the minimum threshold set the
396 * consensus parameter. */
397 static int
399 {
403 }
405 /* Mark client address by setting a timestamp in the stats object which tells
406 * us until when it is marked as positively detected. */
407 static void
409 {
411 /* We add a random offset of a maximum of half the defense time so it is
412 * less predictable. */
416 }
418 /* Return true iff the given channel address is marked as malicious. This is
419 * called a lot and part of the fast path of handling cells. It has to remain
420 * as fast as we can. */
421 static int
423 {
425 tor_addr_t addr;
431 }
432 /* Must be a client connection else we ignore. */
435 }
436 /* Without an IP address, nothing can work. */
439 }
441 /* We are only interested in client connection from the geoip cache. */
444 /* We can have a connection creating circuits but not tracked by the geoip
445 * cache. Once this DoS subsystem is enabled, we can end up here with no
446 * entry for the channel. */
448 }
452 end:
454 }
456 /* Concurrent connection private API. */
458 /* Mark client connection stats by setting a timestamp which tells us until
459 * when it is marked as positively detected. */
460 static void
462 {
465 /* We add a random offset of a maximum of half the defense time so it is
466 * less predictable and thus more difficult to game. */
470 }
472 /* Free everything for the connection DoS mitigation subsystem. */
473 static void
475 {
477 }
479 /* Called when the consensus has changed. Do appropriate actions for the
480 * connection mitigation subsystem. */
481 static void
483 {
484 /* Looking at the consensus, is the connection mitigation subsystem enabled?
485 * If not and it was enabled before, clean it up. */
488 }
489 }
491 /** Called when a new client connection has arrived. The following will update
492 * the client connection statistics.
493 *
494 * The addr is used for logging purposes only.
495 *
496 * If the connect counter reaches its limit, it is marked. */
497 static void
499 {
503 /* Update concurrent count for this new connect. */
506 /* Refill connect connection count. */
509 /* Decrement counter for this new connection. */
512 }
514 /* Assess connect counter. Mark it if counter is down to 0 and we haven't
515 * marked it before or it was reset. This is to avoid to re-mark it over and
516 * over again extending continously the blocked time. */
520 }
526 }
528 /** Called when a client connection is closed. The following will update
529 * the client connection statistics.
530 *
531 * The addr is used for logging purposes only. */
532 static void
534 {
535 /* Extra super duper safety. Going below 0 means an underflow which could
536 * lead to most likely a false positive. In theory, this should never happen
537 * but lets be extra safe. */
540 }
546 }
548 /* General private API */
550 /* Return true iff we have at least one DoS detection enabled. This is used to
551 * decide if we need to allocate any kind of high level DoS object. */
554 {
556 }
558 /* Circuit creation public API. */
560 /* Called when a CREATE cell is received from the given channel. */
561 void
563 {
564 tor_addr_t addr;
569 /* Skip everything if not enabled. */
572 }
574 /* Must be a client connection else we ignore. */
577 }
578 /* Without an IP address, nothing can work. */
581 }
583 /* We are only interested in client connection from the geoip cache. */
586 /* We can have a connection creating circuits but not tracked by the geoip
587 * cache. Once this DoS subsystem is enabled, we can end up here with no
588 * entry for the channel. */
590 }
592 /* General comment. Even though the client can already be marked as
593 * malicious, we continue to track statistics. If it keeps going above
594 * threshold while marked, the defense period time will grow longer. There
595 * is really no point at unmarking a client that keeps DoSing us. */
597 /* First of all, we'll try to refill the circuit bucket opportunistically
598 * before we assess. */
601 /* Take a token out of the circuit bucket if we are above 0 so we don't
602 * underflow the bucket. */
605 }
607 /* This is the detection. Assess at every CREATE cell if the client should
608 * get marked as malicious. This should be kept as fast as possible. */
610 /* If this is the first time we mark this entry, log it a info level.
611 * Under heavy DDoS, logging each time we mark would results in lots and
612 * lots of logs. */
616 cc_num_marked_addrs++;
617 }
619 }
621 end:
623 }
625 /* Return the defense type that should be used for this circuit.
626 *
627 * This is part of the fast path and called a lot. */
628 dos_cc_defense_type_t
630 {
633 /* Skip everything if not enabled. */
636 }
638 /* On an OR circuit, we'll check if the previous channel is a marked client
639 * connection detected by our DoS circuit creation mitigation subsystem. */
641 /* We've just assess that this circuit should trigger a defense for the
642 * cell it just seen. Note it down. */
643 cc_num_rejected_cells++;
645 }
647 end:
649 }
651 /* Concurrent connection detection public API. */
653 /* Return true iff the given address is permitted to open another connection.
654 * A defense value is returned for the caller to take appropriate actions. */
655 dos_conn_defense_type_t
657 {
662 /* Skip everything if not enabled. */
665 }
667 /* We are only interested in client connection from the geoip cache. */
671 }
673 /* Is this address marked as making too many client connections? */
675 conn_num_addr_connect_rejected++;
677 }
678 /* Reset it to 0 here so that if the marked timestamp has expired that is
679 * we've gone beyond it, we have to reset it so the detection can mark it
680 * again in the future. */
683 /* Need to be above the maximum concurrent connection count to trigger a
684 * defense. */
686 dos_conn_max_concurrent_count) {
687 conn_num_addr_rejected++;
689 }
691 end:
693 }
695 /* General API */
697 /* Take any appropriate actions for the given geoip entry that is about to get
698 * freed. This is called for every entry that is being freed.
699 *
700 * This function will clear out the connection tracked flag if the concurrent
701 * count of the entry is above 0 so if those connections end up being seen by
702 * this subsystem, we won't try to decrement the counter for a new geoip entry
703 * that might have been added after this call for the same address. */
704 void
706 {
709 /* The count is down to 0 meaning no connections right now, we can safely
710 * clear the geoip entry from the cache. */
713 }
715 /* For each connection matching the geoip entry address, we'll clear the
716 * tracked flag because the entry is about to get removed from the geoip
717 * cache. We do not try to decrement if the flag is not set. */
722 CMP_EXACT)) {
724 }
725 }
728 end:
730 }
732 /** A new geoip client entry has been allocated, initialize its DoS object. */
733 void
735 {
738 /* Initialize the connection count counter with the rate and burst
739 * parameters taken either from configuration or consensus.
740 *
741 * We do this even if the DoS connection detection is not enabled because it
742 * can be enabled at runtime and these counters need to be valid. */
746 }
748 /* Note down that we've just refused a single hop client. This increments a
749 * counter later used for the heartbeat. */
750 void
752 {
753 num_single_hop_client_refused++;
754 }
756 /* Return true iff single hop client connection (ESTABLISH_RENDEZVOUS) should
757 * be refused. */
758 int
760 {
761 /* If we aren't a public relay, this shouldn't apply to anything. */
764 }
768 }
773 }
775 /* Log a heartbeat message with some statistics. */
776 void
778 {
781 /* Stats number coming from relay.c append_cell_to_circuit_queue(). */
784 stats_n_circ_max_cell_reached);
793 }
801 conn_num_addr_connect_rejected);
804 }
809 num_single_hop_client_refused);
813 }
815 /* HS DoS stats. */
827 }
829 /* Called when a new client connection has been established on the given
830 * address. */
831 void
833 {
838 /* Past that point, we know we have at least one DoS detection subsystem
839 * enabled so we'll start allocating stuff. */
842 }
844 /* We ignore any known address meaning an address of a known relay. The
845 * reason to do so is because network reentry is possible where a client
846 * connection comes from an Exit node. Even when we'll fix reentry, this is
847 * a robust defense to keep in place. */
850 }
852 /* We are only interested in client connection from the geoip cache. */
854 GEOIP_CLIENT_CONNECT);
856 /* Should never happen because we note down the address in the geoip
857 * cache before this is called. */
859 }
861 /* Update stats from this new connect. */
867 end:
869 }
871 /* Called when a client connection for the given IP address has been closed. */
872 void
874 {
879 /* We have to decrement the count on tracked connection only even if the
880 * subsystem has been disabled at runtime because it might be re-enabled
881 * after and we need to keep a synchronized counter at all time. */
884 }
886 /* We are only interested in client connection from the geoip cache. */
888 GEOIP_CLIENT_CONNECT);
890 /* This can happen because we can close a connection before the channel
891 * got to be noted down in the geoip cache. */
893 }
895 /* Update stats from this new close. */
898 end:
900 }
902 /* Called when the consensus has changed. We might have new consensus
903 * parameters to look at. */
904 void
906 {
907 /* There are two ways to configure this subsystem, one at startup through
908 * dos_init() which is called when the options are parsed. And this one
909 * through the consensus. We don't want to enable any DoS mitigation if we
910 * aren't a public relay. */
913 }
918 /* We were already enabled or we just became enabled but either way, set the
919 * consensus parameters for all subsystems. */
921 }
923 /* Return true iff the DoS mitigation subsystem is enabled. */
924 int
926 {
928 }
930 /* Free everything from the Denial of Service subsystem. */
931 void
933 {
934 /* Free the circuit creation mitigation subsystem. It is safe to do this
935 * even if it wasn't initialized. */
938 /* Free the connection mitigation subsystem. It is safe to do this even if
939 * it wasn't initialized. */
941 }
943 /* Initialize the Denial of Service subsystem. */
944 void
946 {
947 /* To initialize, we only need to get the parameters. */
949 }