| blob | 4303b8fd593c7ea24ec59ac1766ff6b0ac6291a4 |
1 /* Copyright (c) 2018-2018, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
4 /*
5 * \file dos.c
6 * \brief Implement Denial of Service mitigation subsystem.
7 */
9 #define DOS_PRIVATE
28 /*
29 * Circuit creation denial of service mitigation.
30 *
31 * Namespace used for this mitigation framework is "dos_cc_" where "cc" is for
32 * Circuit Creation.
33 */
35 /* Is the circuit creation DoS mitigation enabled? */
38 /* Consensus parameters. They can be changed when a new consensus arrives.
39 * They are initialized with the hardcoded default values. */
46 /* Keep some stats for the heartbeat so we can report out. */
50 /*
51 * Concurrent connection denial of service mitigation.
52 *
53 * Namespace used for this mitigation framework is "dos_conn_".
54 */
56 /* Is the connection DoS mitigation enabled? */
59 /* Consensus parameters. They can be changed when a new consensus arrives.
60 * They are initialized with the hardcoded default values. */
64 /* Keep some stats for the heartbeat so we can report out. */
67 /*
68 * General interface of the denial of service mitigation subsystem.
69 */
71 /* Keep stats for the heartbeat. */
74 /* Return true iff the circuit creation mitigation is enabled. We look at the
75 * consensus for this else a default value is returned. */
78 {
81 }
85 }
87 /* Return the parameter for the minimum concurrent connection at which we'll
88 * start counting circuit for a specific client address. */
89 STATIC uint32_t
91 {
94 }
96 DOS_CC_MIN_CONCURRENT_CONN_DEFAULT,
98 }
100 /* Return the parameter for the time rate that is how many circuits over this
101 * time span. */
102 static uint32_t
104 {
105 /* This is in seconds. */
108 }
110 DOS_CC_CIRCUIT_RATE_DEFAULT,
112 }
114 /* Return the parameter for the maximum circuit count for the circuit time
115 * rate. */
116 STATIC uint32_t
118 {
121 }
123 DOS_CC_CIRCUIT_BURST_DEFAULT,
125 }
127 /* Return the consensus parameter of the circuit creation defense type. */
128 static uint32_t
130 {
133 }
135 DOS_CC_DEFENSE_TYPE_DEFAULT,
137 }
139 /* Return the consensus parameter of the defense time period which is how much
140 * time should we defend against a malicious client address. */
141 static int32_t
143 {
144 /* Time in seconds. */
147 }
149 DOS_CC_DEFENSE_TIME_PERIOD_DEFAULT,
151 }
153 /* Return true iff connection mitigation is enabled. We look at the consensus
154 * for this else a default value is returned. */
157 {
160 }
163 }
165 /* Return the consensus parameter for the maximum concurrent connection
166 * allowed. */
167 STATIC uint32_t
169 {
172 }
174 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT,
176 }
178 /* Return the consensus parameter of the connection defense type. */
179 static uint32_t
181 {
184 }
186 DOS_CONN_DEFENSE_TYPE_DEFAULT,
188 }
190 /* Set circuit creation parameters located in the consensus or their default
191 * if none are present. Called at initialization or when the consensus
192 * changes. */
193 static void
195 {
196 /* Get the default consensus param values. */
204 /* Connection detection. */
208 }
210 /* Free everything for the circuit creation DoS mitigation subsystem. */
211 static void
213 {
214 /* If everything is freed, the circuit creation subsystem is not enabled. */
216 }
218 /* Called when the consensus has changed. Do appropriate actions for the
219 * circuit creation subsystem. */
220 static void
222 {
223 /* Looking at the consensus, is the circuit creation subsystem enabled? If
224 * not and it was enabled before, clean it up. */
227 }
228 }
230 /** Return the number of circuits we allow per second under the current
231 * configuration. */
232 STATIC uint64_t
234 {
236 }
238 /* Given the circuit creation client statistics object, refill the circuit
239 * bucket if needed. This also works if the bucket was never filled in the
240 * first place. The addr is only used for logging purposes. */
241 STATIC void
243 {
255 /* If less than a second has elapsed, don't add any tokens.
256 * Note: If a relay's clock is ever 0, any new clients won't get a refill
257 * until the next second. But a relay that thinks it is 1970 will never
258 * validate the public consensus. */
261 }
263 /* At this point, we know we might need to add token to the bucket. We'll
264 * first get the circuit rate that is how many circuit are we allowed to do
265 * per second. */
268 /* We've never filled the bucket so fill it with the maximum being the burst
269 * and we are done.
270 * Note: If a relay's clock is ever 0, all clients that were last refilled
271 * in that zero second will get a full refill here. */
275 }
277 /* Our clock jumped backward so fill it up to the maximum. Not filling it
278 * could trigger a detection for a valid client. Also, if the clock jumped
279 * negative but we didn't notice until the elapsed time became positive
280 * again, then we potentially spent many seconds not refilling the bucket
281 * when we should have been refilling it. But the fact that we didn't notice
282 * until now means that no circuit creation requests came in during that
283 * time, so the client doesn't end up punished that much from this hopefully
284 * rare situation.*/
286 /* Use the maximum allowed value of token. */
289 }
291 /* How many seconds have elapsed between now and the last refill?
292 * This subtraction can't underflow, because now >= last_refill_ts.
293 * And it can't overflow, because INT64_MAX - (-INT64_MIN) == UINT64_MAX. */
296 /* If the elapsed time is very large, it means our clock jumped forward.
297 * If the multiplication would overflow, use the maximum allowed value. */
301 }
303 /* Compute how many circuits we are allowed in that time frame which we'll
304 * add to the bucket. This can't overflow, because both multiplicands
305 * are less than or equal to UINT32_MAX, and num_token is uint64_t. */
308 end:
309 /* If the sum would overflow, use the maximum allowed value. */
313 /* We cap the bucket to the burst value else this could overflow uint32_t
314 * over time. */
316 dos_cc_circuit_burst);
317 }
319 /* This function is not allowed to make the bucket count larger than the
320 * burst value */
322 /* This function is not allowed to make the bucket count smaller, unless it
323 * is decreasing it to a newly configured, lower burst value. We allow the
324 * bucket to stay the same size, in case the circuit rate is zero. */
337 done:
339 }
341 /* Return true iff the circuit bucket is down to 0 and the number of
342 * concurrent connections is greater or equal the minimum threshold set the
343 * consensus parameter. */
344 static int
346 {
350 }
352 /* Mark client address by setting a timestamp in the stats object which tells
353 * us until when it is marked as positively detected. */
354 static void
356 {
358 /* We add a random offset of a maximum of half the defense time so it is
359 * less predictable. */
363 }
365 /* Return true iff the given channel address is marked as malicious. This is
366 * called a lot and part of the fast path of handling cells. It has to remain
367 * as fast as we can. */
368 static int
370 {
372 tor_addr_t addr;
378 }
379 /* Must be a client connection else we ignore. */
382 }
383 /* Without an IP address, nothing can work. */
386 }
388 /* We are only interested in client connection from the geoip cache. */
391 /* We can have a connection creating circuits but not tracked by the geoip
392 * cache. Once this DoS subsystem is enabled, we can end up here with no
393 * entry for the channel. */
395 }
399 end:
401 }
403 /* Concurrent connection private API. */
405 /* Free everything for the connection DoS mitigation subsystem. */
406 static void
408 {
410 }
412 /* Called when the consensus has changed. Do appropriate actions for the
413 * connection mitigation subsystem. */
414 static void
416 {
417 /* Looking at the consensus, is the connection mitigation subsystem enabled?
418 * If not and it was enabled before, clean it up. */
421 }
422 }
424 /* General private API */
426 /* Return true iff we have at least one DoS detection enabled. This is used to
427 * decide if we need to allocate any kind of high level DoS object. */
430 {
432 }
434 /* Circuit creation public API. */
436 /* Called when a CREATE cell is received from the given channel. */
437 void
439 {
440 tor_addr_t addr;
445 /* Skip everything if not enabled. */
448 }
450 /* Must be a client connection else we ignore. */
453 }
454 /* Without an IP address, nothing can work. */
457 }
459 /* We are only interested in client connection from the geoip cache. */
462 /* We can have a connection creating circuits but not tracked by the geoip
463 * cache. Once this DoS subsystem is enabled, we can end up here with no
464 * entry for the channel. */
466 }
468 /* General comment. Even though the client can already be marked as
469 * malicious, we continue to track statistics. If it keeps going above
470 * threshold while marked, the defense period time will grow longer. There
471 * is really no point at unmarking a client that keeps DoSing us. */
473 /* First of all, we'll try to refill the circuit bucket opportunistically
474 * before we assess. */
477 /* Take a token out of the circuit bucket if we are above 0 so we don't
478 * underflow the bucket. */
481 }
483 /* This is the detection. Assess at every CREATE cell if the client should
484 * get marked as malicious. This should be kept as fast as possible. */
486 /* If this is the first time we mark this entry, log it a info level.
487 * Under heavy DDoS, logging each time we mark would results in lots and
488 * lots of logs. */
492 cc_num_marked_addrs++;
493 }
495 }
497 end:
499 }
501 /* Return the defense type that should be used for this circuit.
502 *
503 * This is part of the fast path and called a lot. */
504 dos_cc_defense_type_t
506 {
509 /* Skip everything if not enabled. */
512 }
514 /* On an OR circuit, we'll check if the previous channel is a marked client
515 * connection detected by our DoS circuit creation mitigation subsystem. */
517 /* We've just assess that this circuit should trigger a defense for the
518 * cell it just seen. Note it down. */
519 cc_num_rejected_cells++;
521 }
523 end:
525 }
527 /* Concurrent connection detection public API. */
529 /* Return true iff the given address is permitted to open another connection.
530 * A defense value is returned for the caller to take appropriate actions. */
531 dos_conn_defense_type_t
533 {
538 /* Skip everything if not enabled. */
541 }
543 /* We are only interested in client connection from the geoip cache. */
547 }
549 /* Need to be above the maximum concurrent connection count to trigger a
550 * defense. */
552 conn_num_addr_rejected++;
554 }
556 end:
558 }
560 /* General API */
562 /* Take any appropriate actions for the given geoip entry that is about to get
563 * freed. This is called for every entry that is being freed.
564 *
565 * This function will clear out the connection tracked flag if the concurrent
566 * count of the entry is above 0 so if those connections end up being seen by
567 * this subsystem, we won't try to decrement the counter for a new geoip entry
568 * that might have been added after this call for the same address. */
569 void
571 {
574 /* The count is down to 0 meaning no connections right now, we can safely
575 * clear the geoip entry from the cache. */
578 }
580 /* For each connection matching the geoip entry address, we'll clear the
581 * tracked flag because the entry is about to get removed from the geoip
582 * cache. We do not try to decrement if the flag is not set. */
587 CMP_EXACT)) {
589 }
590 }
593 end:
595 }
597 /* Note down that we've just refused a single hop client. This increments a
598 * counter later used for the heartbeat. */
599 void
601 {
602 num_single_hop_client_refused++;
603 }
605 /* Return true iff single hop client connection (ESTABLISH_RENDEZVOUS) should
606 * be refused. */
607 int
609 {
610 /* If we aren't a public relay, this shouldn't apply to anything. */
613 }
617 }
622 }
624 /* Log a heartbeat message with some statistics. */
625 void
627 {
633 /* Stats number coming from relay.c append_cell_to_circuit_queue(). */
636 stats_n_circ_max_cell_reached);
643 }
648 conn_num_addr_rejected);
649 }
654 num_single_hop_client_refused);
655 }
659 circ_stats_msg,
669 }
671 /* Called when a new client connection has been established on the given
672 * address. */
673 void
675 {
680 /* Past that point, we know we have at least one DoS detection subsystem
681 * enabled so we'll start allocating stuff. */
684 }
686 /* We ignore any known address meaning an address of a known relay. The
687 * reason to do so is because network reentry is possible where a client
688 * connection comes from an Exit node. Even when we'll fix reentry, this is
689 * a robust defense to keep in place. */
692 }
694 /* We are only interested in client connection from the geoip cache. */
696 GEOIP_CLIENT_CONNECT);
698 /* Should never happen because we note down the address in the geoip
699 * cache before this is called. */
701 }
709 end:
711 }
713 /* Called when a client connection for the given IP address has been closed. */
714 void
716 {
721 /* We have to decrement the count on tracked connection only even if the
722 * subsystem has been disabled at runtime because it might be re-enabled
723 * after and we need to keep a synchronized counter at all time. */
726 }
728 /* We are only interested in client connection from the geoip cache. */
730 GEOIP_CLIENT_CONNECT);
732 /* This can happen because we can close a connection before the channel
733 * got to be noted down in the geoip cache. */
735 }
737 /* Extra super duper safety. Going below 0 means an underflow which could
738 * lead to most likely a false positive. In theory, this should never happen
739 * but lets be extra safe. */
742 }
750 end:
752 }
754 /* Called when the consensus has changed. We might have new consensus
755 * parameters to look at. */
756 void
758 {
759 /* There are two ways to configure this subsystem, one at startup through
760 * dos_init() which is called when the options are parsed. And this one
761 * through the consensus. We don't want to enable any DoS mitigation if we
762 * aren't a public relay. */
765 }
770 /* We were already enabled or we just became enabled but either way, set the
771 * consensus parameters for all subsystems. */
773 }
775 /* Return true iff the DoS mitigation subsystem is enabled. */
776 int
778 {
780 }
782 /* Free everything from the Denial of Service subsystem. */
783 void
785 {
786 /* Free the circuit creation mitigation subsystem. It is safe to do this
787 * even if it wasn't initialized. */
790 /* Free the connection mitigation subsystem. It is safe to do this even if
791 * it wasn't initialized. */
793 }
795 /* Initialize the Denial of Service subsystem. */
796 void
798 {
799 /* To initialize, we only need to get the parameters. */
801 }