mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 13:53:31 +01:00
Extend DoS protection to IP addresses with known relays
This exemption used to be helpful in keeping exit relays from tripping the DoS detection subsystem and losing Tor connectivity. Now exit relays block re-entry into the network (tor issue #2667) so it's no longer needed. We'd like to re-enable protection on these addresses to avoid giving attackers a way around our DoS mitigations.
This commit is contained in:
parent
3e18507dc7
commit
2b8d629079
@ -976,14 +976,6 @@ dos_new_client_conn(or_connection_t *or_conn, const char *transport_name)
|
||||
goto end;
|
||||
}
|
||||
|
||||
/* We ignore any known address meaning an address of a known relay. The
|
||||
* reason to do so is because network reentry is possible where a client
|
||||
* connection comes from an Exit node. Even when we'll fix reentry, this is
|
||||
* a robust defense to keep in place. */
|
||||
if (nodelist_probably_contains_address(&TO_CONN(or_conn)->addr)) {
|
||||
goto end;
|
||||
}
|
||||
|
||||
/* We are only interested in client connection from the geoip cache. */
|
||||
entry = geoip_lookup_client(&TO_CONN(or_conn)->addr, transport_name,
|
||||
GEOIP_CLIENT_CONNECT);
|
||||
|
@ -434,12 +434,12 @@ test_dos_bucket_refill(void *arg)
|
||||
dos_free_all();
|
||||
}
|
||||
|
||||
/* Test if we avoid counting a known relay. */
|
||||
/* Test if we avoid counting a known relay. (We no longer do) */
|
||||
static void
|
||||
test_known_relay(void *arg)
|
||||
{
|
||||
clientmap_entry_t *entry = NULL;
|
||||
routerstatus_t *rs = NULL; microdesc_t *md = NULL; routerinfo_t *ri = NULL;
|
||||
routerstatus_t *rs = NULL;
|
||||
|
||||
(void) arg;
|
||||
|
||||
@ -475,8 +475,7 @@ test_known_relay(void *arg)
|
||||
* client connection. */
|
||||
geoip_note_client_seen(GEOIP_CLIENT_CONNECT, &TO_CONN(&or_conn)->addr,
|
||||
NULL, 0);
|
||||
/* Suppose we have 5 connections in rapid succession, the counter should
|
||||
* always be 0 because we should ignore this. */
|
||||
/* Suppose we have 5 connections in rapid succession */
|
||||
dos_new_client_conn(&or_conn, NULL);
|
||||
or_conn.tracked_for_dos_mitigation = 0;
|
||||
dos_new_client_conn(&or_conn, NULL);
|
||||
@ -489,26 +488,11 @@ test_known_relay(void *arg)
|
||||
entry = geoip_lookup_client(&TO_CONN(&or_conn)->addr, NULL,
|
||||
GEOIP_CLIENT_CONNECT);
|
||||
tt_assert(entry);
|
||||
/* We should have a count of 0. */
|
||||
tt_uint_op(entry->dos_stats.conn_stats.concurrent_count, OP_EQ, 0);
|
||||
|
||||
/* To make sure that his is working properly, make a unknown client
|
||||
* connection and see if we do get it. */
|
||||
tor_addr_parse(&TO_CONN(&or_conn)->addr, "42.42.42.43");
|
||||
geoip_note_client_seen(GEOIP_CLIENT_CONNECT, &TO_CONN(&or_conn)->addr,
|
||||
NULL, 0);
|
||||
or_conn.tracked_for_dos_mitigation = 0;
|
||||
dos_new_client_conn(&or_conn, NULL);
|
||||
or_conn.tracked_for_dos_mitigation = 0;
|
||||
dos_new_client_conn(&or_conn, NULL);
|
||||
entry = geoip_lookup_client(&TO_CONN(&or_conn)->addr, NULL,
|
||||
GEOIP_CLIENT_CONNECT);
|
||||
tt_assert(entry);
|
||||
/* We should have a count of 2. */
|
||||
tt_uint_op(entry->dos_stats.conn_stats.concurrent_count, OP_EQ, 2);
|
||||
/* We should have a count of 5. */
|
||||
tt_uint_op(entry->dos_stats.conn_stats.concurrent_count, OP_EQ, 5);
|
||||
|
||||
done:
|
||||
routerstatus_free(rs); routerinfo_free(ri); microdesc_free(md);
|
||||
routerstatus_free(rs);
|
||||
smartlist_clear(dummy_ns->routerstatus_list);
|
||||
networkstatus_vote_free(dummy_ns);
|
||||
dos_free_all();
|
||||
|
Loading…
Reference in New Issue
Block a user