tor/src/or/dos.h

/* Copyright (c) 2018, The Tor Project, Inc. */
/* See LICENSE for licensing information */

/*
 * \file dos.h
 * \brief Header file for dos.c
 */

#ifndef TOR_DOS_H
#define TOR_DOS_H

/* Structure that keeps stats of client connection per-IP. */
typedef struct cc_client_stats_t {
  /* Number of allocated circuits remaining for this address.  It is
   * decremented every time a new circuit is seen for this client address and
   * if the count goes to 0, we have a positive detection. */
  uint32_t circuit_bucket;

  /* When was the last time we've refilled the circuit bucket? This is used to
   * know if we need to refill the bucket when a new circuit is seen. It is
   * synchronized using approx_time(). */
  time_t last_circ_bucket_refill_ts;

  /* This client address was detected to be above the circuit creation rate
   * and this timestamp indicates until when it should remain marked as
   * detected so we can apply a defense for the address. It is synchronized
   * using the approx_time(). */
  time_t marked_until_ts;
} cc_client_stats_t;

/* This object is a top level object that contains everything related to the
 * per-IP client DoS mitigation. Because it is per-IP, it is used in the geoip
 * clientmap_entry_t object. */
typedef struct dos_client_stats_t {
  /* Concurrent connection count from the specific address. 2^32 is most
   * likely way too big for the amount of allowed file descriptors. */
  uint32_t concurrent_count;

  /* Circuit creation statistics. This is only used if the circuit creation
   * subsystem has been enabled (dos_cc_enabled). */
  cc_client_stats_t cc_stats;
} dos_client_stats_t;

/* General API. */

/* Stub. */
struct clientmap_entry_t;

void dos_init(void);
void dos_free_all(void);
void dos_consensus_has_changed(const networkstatus_t *ns);
int dos_enabled(void);
void dos_log_heartbeat(void);
void dos_geoip_entry_about_to_free(const struct clientmap_entry_t *geoip_ent);

void dos_new_client_conn(or_connection_t *or_conn);
void dos_close_client_conn(const or_connection_t *or_conn);

int dos_should_refuse_single_hop_client(void);
void dos_note_refuse_single_hop_client(void);

/*
 * Circuit creation DoS mitigation subsystemn interface.
 */

/* DoSCircuitCreationEnabled default. Disabled by default. */
#define DOS_CC_ENABLED_DEFAULT 0
/* DoSCircuitCreationDefenseType maps to the dos_cc_defense_type_t enum. */
#define DOS_CC_DEFENSE_TYPE_DEFAULT DOS_CC_DEFENSE_REFUSE_CELL
/* DoSCircuitCreationMinConnections default */
#define DOS_CC_MIN_CONCURRENT_CONN_DEFAULT 3
/* DoSCircuitCreationRateTenths is 3 per seconds. */
#define DOS_CC_CIRCUIT_RATE_DEFAULT 3
/* DoSCircuitCreationBurst default. */
#define DOS_CC_CIRCUIT_BURST_DEFAULT 90
/* DoSCircuitCreationDefenseTimePeriod in seconds. */
#define DOS_CC_DEFENSE_TIME_PERIOD_DEFAULT (60 * 60)

/* Type of defense that we can use for the circuit creation DoS mitigation. */
typedef enum dos_cc_defense_type_t {
  /* No defense used. */
  DOS_CC_DEFENSE_NONE             = 1,
  /* Refuse any cells which means a DESTROY cell will be sent back. */
  DOS_CC_DEFENSE_REFUSE_CELL      = 2,

  /* Maximum value that can be used. Useful for the boundaries of the
   * consensus parameter. */
  DOS_CC_DEFENSE_MAX              = 2,
} dos_cc_defense_type_t;

void dos_cc_new_create_cell(channel_t *channel);
dos_cc_defense_type_t dos_cc_get_defense_type(channel_t *chan);

/*
 * Concurrent connection DoS mitigation interface.
 */

/* DoSConnectionEnabled default. Disabled by default. */
#define DOS_CONN_ENABLED_DEFAULT 0
/* DoSConnectionMaxConcurrentCount default. */
#define DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 100
/* DoSConnectionDefenseType maps to the dos_conn_defense_type_t enum. */
#define DOS_CONN_DEFENSE_TYPE_DEFAULT DOS_CONN_DEFENSE_CLOSE

/* Type of defense that we can use for the concurrent connection DoS
 * mitigation. */
typedef enum dos_conn_defense_type_t {
  /* No defense used. */
  DOS_CONN_DEFENSE_NONE             = 1,
  /* Close immediately the connection meaning refuse it. */
  DOS_CONN_DEFENSE_CLOSE            = 2,

  /* Maximum value that can be used. Useful for the boundaries of the
   * consensus parameter. */
  DOS_CONN_DEFENSE_MAX              = 2,
} dos_conn_defense_type_t;

dos_conn_defense_type_t dos_conn_addr_get_defense_type(const tor_addr_t *addr);

#ifdef DOS_PRIVATE

STATIC uint32_t get_param_conn_max_concurrent_count(
                                              const networkstatus_t *ns);
STATIC uint32_t get_param_cc_circuit_burst(const networkstatus_t *ns);
STATIC uint32_t get_param_cc_min_concurrent_connection(
                                            const networkstatus_t *ns);

STATIC uint64_t get_circuit_rate_per_second(void);
STATIC void cc_stats_refill_bucket(cc_client_stats_t *stats,
                                   const tor_addr_t *addr);

MOCK_DECL(STATIC unsigned int, get_param_cc_enabled,
          (const networkstatus_t *ns));
MOCK_DECL(STATIC unsigned int, get_param_conn_enabled,
          (const networkstatus_t *ns));

#endif /* TOR_DOS_PRIVATE */

#endif /* TOR_DOS_H */
dos: Initial code of Denial of Service mitigation This commit introduces the src/or/dos.{c\|h} files that contains the code for the Denial of Service mitigation subsystem. It currently contains basic functions to initialize and free the subsystem. They are used at this commit. The torrc options and consensus parameters are defined at this commit and getters are implemented. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-25 21:54:58 +01:00			`/* Copyright (c) 2018, The Tor Project, Inc. */`
			`/* See LICENSE for licensing information */`

			`/*`
			`* \file dos.h`
			`* \brief Header file for dos.c`
			`*/`

			`#ifndef TOR_DOS_H`
			`#define TOR_DOS_H`

			`/* Structure that keeps stats of client connection per-IP. */`
			`typedef struct cc_client_stats_t {`
			`/* Number of allocated circuits remaining for this address. It is`
			`* decremented every time a new circuit is seen for this client address and`
			`* if the count goes to 0, we have a positive detection. */`
			`uint32_t circuit_bucket;`

			`/* When was the last time we've refilled the circuit bucket? This is used to`
			`* know if we need to refill the bucket when a new circuit is seen. It is`
			`* synchronized using approx_time(). */`
			`time_t last_circ_bucket_refill_ts;`

			`/* This client address was detected to be above the circuit creation rate`
			`* and this timestamp indicates until when it should remain marked as`
			`* detected so we can apply a defense for the address. It is synchronized`
			`* using the approx_time(). */`
			`time_t marked_until_ts;`
			`} cc_client_stats_t;`

			`/* This object is a top level object that contains everything related to the`
			`* per-IP client DoS mitigation. Because it is per-IP, it is used in the geoip`
			`* clientmap_entry_t object. */`
			`typedef struct dos_client_stats_t {`
			`/* Concurrent connection count from the specific address. 2^32 is most`
			`* likely way too big for the amount of allowed file descriptors. */`
			`uint32_t concurrent_count;`

			`/* Circuit creation statistics. This is only used if the circuit creation`
			`* subsystem has been enabled (dos_cc_enabled). */`
			`cc_client_stats_t cc_stats;`
			`} dos_client_stats_t;`

			`/* General API. */`

dos: Clear connection tracked flag if geoip entry is removed Imagine this scenario. We had 10 connections over the 24h lifetime of a geoip cache entry. The lifetime of the entry has been reached so it is about to get freed but 2 connections remain for it. After the free, a third connection comes in thus making us create a new geoip entry for that address matching the 2 previous ones that are still alive. If they end up being closed, we'll have a concurrent count desynch from what the reality is. To mitigate this probably very rare scenario in practice, when we free a geoip entry and it has a concurrent count above 0, we'll go over all connections matching the address and clear out the tracked flag. So once they are closed, we don't try to decrement the count. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-25 15:44:21 +01:00			`/* Stub. */`
			`struct clientmap_entry_t;`

dos: Initial code of Denial of Service mitigation This commit introduces the src/or/dos.{c\|h} files that contains the code for the Denial of Service mitigation subsystem. It currently contains basic functions to initialize and free the subsystem. They are used at this commit. The torrc options and consensus parameters are defined at this commit and getters are implemented. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-25 21:54:58 +01:00			`void dos_init(void);`
			`void dos_free_all(void);`
			`void dos_consensus_has_changed(const networkstatus_t *ns);`
			`int dos_enabled(void);`
dos: Add a heartbeat log Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-25 22:36:05 +01:00			`void dos_log_heartbeat(void);`
dos: Clear connection tracked flag if geoip entry is removed Imagine this scenario. We had 10 connections over the 24h lifetime of a geoip cache entry. The lifetime of the entry has been reached so it is about to get freed but 2 connections remain for it. After the free, a third connection comes in thus making us create a new geoip entry for that address matching the 2 previous ones that are still alive. If they end up being closed, we'll have a concurrent count desynch from what the reality is. To mitigate this probably very rare scenario in practice, when we free a geoip entry and it has a concurrent count above 0, we'll go over all connections matching the address and clear out the tracked flag. So once they are closed, we don't try to decrement the count. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-25 15:44:21 +01:00			`void dos_geoip_entry_about_to_free(const struct clientmap_entry_t *geoip_ent);`
dos: Initial code of Denial of Service mitigation This commit introduces the src/or/dos.{c\|h} files that contains the code for the Denial of Service mitigation subsystem. It currently contains basic functions to initialize and free the subsystem. They are used at this commit. The torrc options and consensus parameters are defined at this commit and getters are implemented. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-25 21:54:58 +01:00
dos: Track new and closed OR client connections Implement a basic connection tracking that counts the number of concurrent connections when they open and close. This commit also adds the circuit creation mitigation data structure that will be needed at later commit to keep track of the circuit rate. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-25 22:05:59 +01:00			`void dos_new_client_conn(or_connection_t *or_conn);`
			`void dos_close_client_conn(const or_connection_t *or_conn);`

dos: Add the DoSRefuseSingleHopClientRendezvous option This option refuses any ESTABLISH_RENDEZVOUS cell arriving from a client connection. Its default value is "auto" for which we can turn it on or off with a consensus parameter. Default value is 0. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-25 22:32:28 +01:00			`int dos_should_refuse_single_hop_client(void);`
			`void dos_note_refuse_single_hop_client(void);`

dos: Initial code of Denial of Service mitigation This commit introduces the src/or/dos.{c\|h} files that contains the code for the Denial of Service mitigation subsystem. It currently contains basic functions to initialize and free the subsystem. They are used at this commit. The torrc options and consensus parameters are defined at this commit and getters are implemented. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-25 21:54:58 +01:00			`/*`
			`* Circuit creation DoS mitigation subsystemn interface.`
			`*/`

			`/* DoSCircuitCreationEnabled default. Disabled by default. */`
			`#define DOS_CC_ENABLED_DEFAULT 0`
			`/* DoSCircuitCreationDefenseType maps to the dos_cc_defense_type_t enum. */`
			`#define DOS_CC_DEFENSE_TYPE_DEFAULT DOS_CC_DEFENSE_REFUSE_CELL`
			`/* DoSCircuitCreationMinConnections default */`
			`#define DOS_CC_MIN_CONCURRENT_CONN_DEFAULT 3`
			`/* DoSCircuitCreationRateTenths is 3 per seconds. */`
dos: Make circuit rate limit per second, not tenths anymore Because this touches too many commits at once, it is made into one single commit. Remove the use of "tenths" for the circuit rate to simplify things. We can only refill the buckets at best once every second because of the use of approx_time() and our token system is set to be 1 token = 1 circuit so make the rate a flat integer of circuit per second. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-29 17:50:11 +01:00			`#define DOS_CC_CIRCUIT_RATE_DEFAULT 3`
dos: Initial code of Denial of Service mitigation This commit introduces the src/or/dos.{c\|h} files that contains the code for the Denial of Service mitigation subsystem. It currently contains basic functions to initialize and free the subsystem. They are used at this commit. The torrc options and consensus parameters are defined at this commit and getters are implemented. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-25 21:54:58 +01:00			`/* DoSCircuitCreationBurst default. */`
			`#define DOS_CC_CIRCUIT_BURST_DEFAULT 90`
			`/* DoSCircuitCreationDefenseTimePeriod in seconds. */`
			`#define DOS_CC_DEFENSE_TIME_PERIOD_DEFAULT (60 * 60)`

			`/* Type of defense that we can use for the circuit creation DoS mitigation. */`
			`typedef enum dos_cc_defense_type_t {`
			`/* No defense used. */`
			`DOS_CC_DEFENSE_NONE = 1,`
			`/* Refuse any cells which means a DESTROY cell will be sent back. */`
			`DOS_CC_DEFENSE_REFUSE_CELL = 2,`

			`/* Maximum value that can be used. Useful for the boundaries of the`
			`* consensus parameter. */`
			`DOS_CC_DEFENSE_MAX = 2,`
			`} dos_cc_defense_type_t;`

dos: Detect circuit creation denial of service Add a function that notifies the DoS subsystem that a new CREATE cell has arrived. The statistics are updated accordingly and the IP address can also be marked as malicious if it is above threshold. At this commit, no defense is applied, just detection with a circuit creation token bucket system. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-25 22:14:40 +01:00			`void dos_cc_new_create_cell(channel_t *channel);`
dos: Apply defense for circuit creation DoS If the client address was detected as malicious, apply a defense which is at this commit to return a DESTROY cell. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-25 22:20:52 +01:00			`dos_cc_defense_type_t dos_cc_get_defense_type(channel_t *chan);`
dos: Detect circuit creation denial of service Add a function that notifies the DoS subsystem that a new CREATE cell has arrived. The statistics are updated accordingly and the IP address can also be marked as malicious if it is above threshold. At this commit, no defense is applied, just detection with a circuit creation token bucket system. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-25 22:14:40 +01:00
dos: Initial code of Denial of Service mitigation This commit introduces the src/or/dos.{c\|h} files that contains the code for the Denial of Service mitigation subsystem. It currently contains basic functions to initialize and free the subsystem. They are used at this commit. The torrc options and consensus parameters are defined at this commit and getters are implemented. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-25 21:54:58 +01:00			`/*`
			`* Concurrent connection DoS mitigation interface.`
			`*/`

			`/* DoSConnectionEnabled default. Disabled by default. */`
			`#define DOS_CONN_ENABLED_DEFAULT 0`
			`/* DoSConnectionMaxConcurrentCount default. */`
			`#define DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 100`
			`/* DoSConnectionDefenseType maps to the dos_conn_defense_type_t enum. */`
			`#define DOS_CONN_DEFENSE_TYPE_DEFAULT DOS_CONN_DEFENSE_CLOSE`

			`/* Type of defense that we can use for the concurrent connection DoS`
			`* mitigation. */`
			`typedef enum dos_conn_defense_type_t {`
			`/* No defense used. */`
			`DOS_CONN_DEFENSE_NONE = 1,`
			`/* Close immediately the connection meaning refuse it. */`
			`DOS_CONN_DEFENSE_CLOSE = 2,`

			`/* Maximum value that can be used. Useful for the boundaries of the`
			`* consensus parameter. */`
			`DOS_CONN_DEFENSE_MAX = 2,`
			`} dos_conn_defense_type_t;`

dos: Add the connection DoS mitigation subsystem Defend against an address that has reached the concurrent connection count threshold. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-25 22:28:54 +01:00			`dos_conn_defense_type_t dos_conn_addr_get_defense_type(const tor_addr_t *addr);`

dos: Initial code of Denial of Service mitigation This commit introduces the src/or/dos.{c\|h} files that contains the code for the Denial of Service mitigation subsystem. It currently contains basic functions to initialize and free the subsystem. They are used at this commit. The torrc options and consensus parameters are defined at this commit and getters are implemented. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-25 21:54:58 +01:00			`#ifdef DOS_PRIVATE`

			`STATIC uint32_t get_param_conn_max_concurrent_count(`
			`const networkstatus_t *ns);`
			`STATIC uint32_t get_param_cc_circuit_burst(const networkstatus_t *ns);`
			`STATIC uint32_t get_param_cc_min_concurrent_connection(`
			`const networkstatus_t *ns);`

dos: Make sure cc_stats_refill_bucket can't overflow while calculating Debug log the elapsed time in cc_stats_refill_bucket Part of #25094. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-31 01:13:17 +01:00			`STATIC uint64_t get_circuit_rate_per_second(void);`
dos: Detect circuit creation denial of service Add a function that notifies the DoS subsystem that a new CREATE cell has arrived. The statistics are updated accordingly and the IP address can also be marked as malicious if it is above threshold. At this commit, no defense is applied, just detection with a circuit creation token bucket system. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-25 22:14:40 +01:00			`STATIC void cc_stats_refill_bucket(cc_client_stats_t *stats,`
			`const tor_addr_t *addr);`

dos: Initial code of Denial of Service mitigation This commit introduces the src/or/dos.{c\|h} files that contains the code for the Denial of Service mitigation subsystem. It currently contains basic functions to initialize and free the subsystem. They are used at this commit. The torrc options and consensus parameters are defined at this commit and getters are implemented. Signed-off-by: David Goulet <dgoulet@torproject.org> 2018-01-25 21:54:58 +01:00			`MOCK_DECL(STATIC unsigned int, get_param_cc_enabled,`
			`(const networkstatus_t *ns));`
			`MOCK_DECL(STATIC unsigned int, get_param_conn_enabled,`
			`(const networkstatus_t *ns));`

			`#endif /* TOR_DOS_PRIVATE */`

			`#endif /* TOR_DOS_H */`