Home Explore Help
Sign In
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge remote-tracking branch 'dgoulet/ticket24902_029_05'

Nick Mathewson 7 years ago
parent
412a8256a5 e7f6314782
commit
86f461e362
4 changed files with 47 additions and 14 deletions
Split View Show Diff Stats
  1. 4 0
      changes/bug25223
  2. 4 0
      changes/ticket25202
  3. 21 14
      doc/tor.1.txt
  4. 18 0
      src/or/dos.c

+ 4 - 0
changes/bug25223
View File 

@@ -0,0 +1,4 @@
 
+  o Minor bugfixes (DoS mitigation):
 
+    - Make sure we don't modify consensus parameters if we aren't a public
 
+      relay when a new consensus arrives. Fixes bug 25223; bugfix on
 
+      0.3.3.2-alpha.

+ 4 - 0
changes/ticket25202
View File 

@@ -0,0 +1,4 @@
 
+  o Minor bugfixes (DoS mitigation):
 
+    - Add extra safety checks when refilling the circuit creation bucket to
 
+      ensure we never set a value that is above the allowed burst. Fixes
 
+      bug 25202; bugfix on 0.3.3.2-alpha.

+ 21 - 14
doc/tor.1.txt
View File 

@@ -2765,7 +2765,7 @@ Denial of Service mitigation subsystem.
 
     address is positively identified, tor will activate defenses against the
 
     address. See the DoSCircuitCreationDefenseType option for more details.
 
     This is a client to relay detection only. "auto" means use the consensus
 
-    parameter.
 
+    parameter. If not defined in the consensus, the value is 0.
 
     (Default: auto)
 
 
 [[DoSCircuitCreationMinConnections]] **DoSCircuitCreationMinConnections** __NUM__::
 
@@ -2774,19 +2774,22 @@ Denial of Service mitigation subsystem.
 
     flagged as executing a circuit creation DoS. In other words, once a client
 
     address reaches the circuit rate and has a minimum of NUM concurrent
 
     connections, a detection is positive. "0" means use the consensus
 
-    parameter.
 
+    parameter. If not defined in the consensus, the value is 3.
 
     (Default: 0)
 
 
 [[DoSCircuitCreationRate]] **DoSCircuitCreationRate** __NUM__::
 
 
     The allowed circuit creation rate per second applied per client IP
 
-    address. If this option is 0, it obeys a consensus parameter. (Default: 0)
 
+    address. If this option is 0, it obeys a consensus parameter. If not
 
+    defined in the consensus, the value is 3.
 
+    (Default: 0)
 
 
 [[DoSCircuitCreationBurst]] **DoSCircuitCreationBurst** __NUM__::
 
 
     The allowed circuit creation burst per client IP address. If the circuit
 
     rate and the burst are reached, a client is marked as executing a circuit
 
-    creation DoS. "0" means use the consensus parameter.
 
+    creation DoS. "0" means use the consensus parameter. If not defined in the
 
+    consensus, the value is 90.
 
     (Default: 0)
 
 
 [[DoSCircuitCreationDefenseType]] **DoSCircuitCreationDefenseType** __NUM__::
 
@@ -2797,28 +2800,31 @@ Denial of Service mitigation subsystem.
 
       1: No defense.
 
       2: Refuse circuit creation for the DoSCircuitCreationDefenseTimePeriod period of time.
 
 +
 
-    "0" means use the consensus parameter.
 
+    "0" means use the consensus parameter. If not defined in the consensus,
 
+    the value is 2.
 
     (Default: 0)
 
 
-[[DoSCircuitCreationDefenseTimePeriod]] **DoSCircuitCreationDefenseTimePeriod** __NUM__::
 
+[[DoSCircuitCreationDefenseTimePeriod]] **DoSCircuitCreationDefenseTimePeriod** __N__ **seconds**|**minutes**|**hours**::
 
 
-    The base time period that the DoS defense is activated for. The actual
 
-    value is selected randomly for each activation from NUM+1 to 3/2 * NUM.
 
-    "0" means use the consensus parameter.
 
-    (Default: 0)
 
+    The base time period in seconds that the DoS defense is activated for. The
 
+    actual value is selected randomly for each activation from N+1 to 3/2 * N.
 
+    "0" means use the consensus parameter. If not defined in the consensus,
 
+    the value is 3600 seconds (1 hour).  (Default: 0)
 
 
 [[DoSConnectionEnabled]] **DoSConnectionEnabled** **0**|**1**|**auto**::
 
 
     Enable the connection DoS mitigation. For client address only, this allows
 
     tor to mitigate against large number of concurrent connections made by a
 
-    single IP address. "auto" means use the consensus parameter.
 
+    single IP address. "auto" means use the consensus parameter. If not
 
+    defined in the consensus, the value is 0.
 
     (Default: auto)
 
 
 [[DoSConnectionMaxConcurrentCount]] **DoSConnectionMaxConcurrentCount** __NUM__::
 
 
     The maximum threshold of concurrent connection from a client IP address.
 
     Above this limit, a defense selected by DoSConnectionDefenseType is
 
-    applied. "0" means use the consensus parameter.
 
+    applied. "0" means use the consensus parameter. If not defined in the
 
+    consensus, the value is 100.
 
     (Default: 0)
 
 
 [[DoSConnectionDefenseType]] **DoSConnectionDefenseType** __NUM__::
 
@@ -2829,7 +2835,8 @@ Denial of Service mitigation subsystem.
 
       1: No defense.
 
       2: Immediately close new connections.
 
 +
 
-    "0" means use the consensus parameter.
 
+    "0" means use the consensus parameter. If not defined in the consensus,
 
+    the value is 2.
 
     (Default: 0)
 
 
 [[DoSRefuseSingleHopClientRendezvous]] **DoSRefuseSingleHopClientRendezvous** **0**|**1**|**auto**::
 
@@ -2837,7 +2844,7 @@ Denial of Service mitigation subsystem.
 
     Refuse establishment of rendezvous points for single hop clients. In other
 
     words, if a client directly connects to the relay and sends an
 
     ESTABLISH_RENDEZVOUS cell, it is silently dropped. "auto" means use the
 
-    consensus parameter.
 
+    consensus parameter. If not defined in the consensus, the value is 0.
 
     (Default: auto)
 
 
 TESTING NETWORK OPTIONS

+ 18 - 0
src/or/dos.c
View File 

@@ -309,6 +309,16 @@ cc_stats_refill_bucket(cc_client_stats_t *stats, const tor_addr_t *addr)
 
     new_circuit_bucket_count = MIN(stats->circuit_bucket + (uint32_t)num_token,
 
                                    dos_cc_circuit_burst);
 
   }
 
+
 
+  /* This function is not allowed to make the bucket count larger than the
 
+   * burst value */
 
+  tor_assert_nonfatal(new_circuit_bucket_count <= dos_cc_circuit_burst);
 
+  /* This function is not allowed to make the bucket count smaller, unless it
 
+   * is decreasing it to a newly configured, lower burst value. We allow the
 
+   * bucket to stay the same size, in case the circuit rate is zero. */
 
+  tor_assert_nonfatal(new_circuit_bucket_count >= stats->circuit_bucket ||
 
+                      new_circuit_bucket_count == dos_cc_circuit_burst);
 
+
 
   log_debug(LD_DOS, "DoS address %s has its circuit bucket value: %" PRIu32
 
                     ". Filling it to %" PRIu32 ". Circuit rate is %" PRIu64
 
                     ". Elapsed time is %" PRIi64,
 
@@ -738,6 +748,14 @@ dos_close_client_conn(const or_connection_t *or_conn)
 
 void
 
 dos_consensus_has_changed(const networkstatus_t *ns)
 
 {
 
+  /* There are two ways to configure this subsystem, one at startup through
 
+   * dos_init() which is called when the options are parsed. And this one
 
+   * through the consensus. We don't want to enable any DoS mitigation if we
 
+   * aren't a public relay. */
 
+  if (!public_server_mode(get_options())) {
 
+    return;
 
+  }
 
+
 
   cc_consensus_has_changed(ns);
 
   conn_consensus_has_changed(ns);