Tor 0.4.9.0-alpha-dev
Macros | Functions | Variables
hs_dos.c File Reference

Implement denial of service mitigation for the onion service subsystem. More...

#include "core/or/or.h"
#include "app/config/config.h"
#include "core/or/circuitlist.h"
#include "feature/hs/hs_circuitmap.h"
#include "feature/nodelist/networkstatus.h"
#include "feature/relay/routermode.h"
#include "lib/evloop/token_bucket.h"
#include "lib/time/compat_time.h"
#include "feature/hs/hs_dos.h"

Go to the source code of this file.

Macros

#define HS_DOS_PRIVATE
 
#define HS_DOS_INTRODUCE_DEFAULT_CELL_RATE_PER_SEC   25
 
#define HS_DOS_INTRODUCE_DEFAULT_CELL_BURST_PER_SEC   200
 
#define HS_DOS_INTRODUCE_ENABLED_DEFAULT   0
 

Functions

STATIC uint32_t get_intro2_enable_consensus_param (const networkstatus_t *ns)
 
STATIC uint32_t get_intro2_rate_consensus_param (const networkstatus_t *ns)
 
STATIC uint32_t get_intro2_burst_consensus_param (const networkstatus_t *ns)
 
static void update_intro_circuits (void)
 
static void set_consensus_parameters (const networkstatus_t *ns)
 
void hs_dos_setup_default_intro2_defenses (or_circuit_t *circ)
 
void hs_dos_consensus_has_changed (const networkstatus_t *ns)
 
bool hs_dos_can_send_intro2 (or_circuit_t *s_intro_circ)
 
uint64_t hs_dos_get_intro2_rejected_count (void)
 
void hs_dos_init (void)
 

Variables

static uint64_t intro2_rejected_count = 0
 
static uint32_t consensus_param_introduce_rate_per_sec
 
static uint32_t consensus_param_introduce_burst_per_sec
 
static uint32_t consensus_param_introduce_defense_enabled
 

Detailed Description

Implement denial of service mitigation for the onion service subsystem.

This module defenses:

Definition in file hs_dos.c.

Macro Definition Documentation

◆ HS_DOS_INTRODUCE_DEFAULT_CELL_BURST_PER_SEC

#define HS_DOS_INTRODUCE_DEFAULT_CELL_BURST_PER_SEC   200

Default value of the allowed INTRODUCE2 cell burst per second. This is the maximum value a token bucket has per second. We thus allow up to this value of INTRODUCE2 cell per second but the bucket is refilled by the rate value but never goes above that burst value.

Definition at line 43 of file hs_dos.c.

◆ HS_DOS_INTRODUCE_DEFAULT_CELL_RATE_PER_SEC

#define HS_DOS_INTRODUCE_DEFAULT_CELL_RATE_PER_SEC   25

Default value of the allowed INTRODUCE2 cell rate per second. Above that value per second, the introduction is denied.

Definition at line 37 of file hs_dos.c.

◆ HS_DOS_INTRODUCE_ENABLED_DEFAULT

#define HS_DOS_INTRODUCE_ENABLED_DEFAULT   0

Default value of the consensus parameter enabling or disabling the introduction DoS defense. Disabled by default.

Definition at line 47 of file hs_dos.c.

◆ HS_DOS_PRIVATE

#define HS_DOS_PRIVATE

Definition at line 19 of file hs_dos.c.

Function Documentation

◆ get_intro2_burst_consensus_param()

STATIC uint32_t get_intro2_burst_consensus_param ( const networkstatus_t ns)

Return the parameter for the introduction burst per sec.

Definition at line 80 of file hs_dos.c.

◆ get_intro2_enable_consensus_param()

STATIC uint32_t get_intro2_enable_consensus_param ( const networkstatus_t ns)

Definition at line 63 of file hs_dos.c.

◆ get_intro2_rate_consensus_param()

STATIC uint32_t get_intro2_rate_consensus_param ( const networkstatus_t ns)

Return the parameter for the introduction rate per sec.

Definition at line 71 of file hs_dos.c.

◆ hs_dos_can_send_intro2()

bool hs_dos_can_send_intro2 ( or_circuit_t s_intro_circ)

Return true iff an INTRODUCE2 cell can be sent on the given service introduction circuit.

Definition at line 167 of file hs_dos.c.

◆ hs_dos_consensus_has_changed()

void hs_dos_consensus_has_changed ( const networkstatus_t ns)

Called when the consensus has changed. We might have new consensus parameters to look at.

Definition at line 153 of file hs_dos.c.

◆ hs_dos_get_intro2_rejected_count()

uint64_t hs_dos_get_intro2_rejected_count ( void  )

Return rolling count of rejected INTRO2.

Definition at line 219 of file hs_dos.c.

◆ hs_dos_init()

void hs_dos_init ( void  )

Initialize the onion service Denial of Service subsystem.

Definition at line 226 of file hs_dos.c.

◆ hs_dos_setup_default_intro2_defenses()

void hs_dos_setup_default_intro2_defenses ( or_circuit_t circ)

Initialize the INTRODUCE2 token bucket for the DoS defenses using the consensus/default values. We might get a cell extension that changes those later but if we don't, the default or consensus parameters are used.

Definition at line 138 of file hs_dos.c.

◆ set_consensus_parameters()

static void set_consensus_parameters ( const networkstatus_t ns)
static

Set consensus parameters.

Definition at line 116 of file hs_dos.c.

Referenced by hs_dos_consensus_has_changed(), and hs_dos_init().

◆ update_intro_circuits()

static void update_intro_circuits ( void  )
static

Go over all introduction circuit relay side and adjust their rate/burst values using the global parameters. This is called right after the consensus parameters might have changed.

Definition at line 91 of file hs_dos.c.

Variable Documentation

◆ consensus_param_introduce_burst_per_sec

uint32_t consensus_param_introduce_burst_per_sec
static
Initial value:
=
HS_DOS_INTRODUCE_DEFAULT_CELL_BURST_PER_SEC
HS_DOS_INTRODUCE_DEFAULT_CELL_BURST_PER_SEC
#define HS_DOS_INTRODUCE_DEFAULT_CELL_BURST_PER_SEC
Definition: hs_dos.c:43

Definition at line 57 of file hs_dos.c.

◆ consensus_param_introduce_defense_enabled

uint32_t consensus_param_introduce_defense_enabled
static
Initial value:
=
HS_DOS_INTRODUCE_ENABLED_DEFAULT
HS_DOS_INTRODUCE_ENABLED_DEFAULT
#define HS_DOS_INTRODUCE_ENABLED_DEFAULT
Definition: hs_dos.c:47

Definition at line 59 of file hs_dos.c.

◆ consensus_param_introduce_rate_per_sec

uint32_t consensus_param_introduce_rate_per_sec
static
Initial value:
=
HS_DOS_INTRODUCE_DEFAULT_CELL_RATE_PER_SEC
HS_DOS_INTRODUCE_DEFAULT_CELL_RATE_PER_SEC
#define HS_DOS_INTRODUCE_DEFAULT_CELL_RATE_PER_SEC
Definition: hs_dos.c:37

Definition at line 55 of file hs_dos.c.

◆ intro2_rejected_count

uint64_t intro2_rejected_count = 0
static

INTRODUCE2 rejected request counter.

Definition at line 50 of file hs_dos.c.

Referenced by hs_dos_get_intro2_rejected_count().

Generated by doxygen 1.9.4