dos.c

/* Copyright (c) 2018-2021, The Tor Project, Inc. */
/* See LICENSE for licensing information */
 
/*
 * \file dos.c
 * \brief Implement Denial of Service mitigation subsystem.
 */
 
#define DOS_PRIVATE
 
#include "core/or/or.h"
#include "app/config/config.h"
#include "core/mainloop/connection.h"
#include "core/mainloop/mainloop.h"
#include "core/or/channel.h"
#include "core/or/connection_or.h"
#include "core/or/relay.h"
#include "feature/hs/hs_dos.h"
#include "feature/nodelist/networkstatus.h"
#include "feature/nodelist/nodelist.h"
#include "feature/relay/routermode.h"
#include "feature/stats/geoip_stats.h"
#include "lib/crypt_ops/crypto_rand.h"
#include "lib/time/compat_time.h"
 
#include "core/or/dos.h"
#include "core/or/dos_sys.h"
 
#include "core/or/dos_options_st.h"
#include "core/or/or_connection_st.h"
 
/*
 * Circuit creation denial of service mitigation.
 *
 * Namespace used for this mitigation framework is "dos_cc_" where "cc" is for
 * Circuit Creation.
 */
 
/* Is the circuit creation DoS mitigation enabled? */
static unsigned int dos_cc_enabled = 0;
 
/* Consensus parameters. They can be changed when a new consensus arrives.
 * They are initialized with the hardcoded default values. */
static uint32_t dos_cc_min_concurrent_conn;
static uint32_t dos_cc_circuit_rate;
static uint32_t dos_cc_circuit_burst;
static dos_cc_defense_type_t dos_cc_defense_type;
static int32_t dos_cc_defense_time_period;
 
/* Keep some stats for the heartbeat so we can report out. */
static uint64_t cc_num_rejected_cells;
static uint32_t cc_num_marked_addrs;
static uint32_t cc_num_marked_addrs_max_queue;
 
/*
 * Concurrent connection denial of service mitigation.
 *
 * Namespace used for this mitigation framework is "dos_conn_".
 */
 
/* Is the connection DoS mitigation enabled? */
static unsigned int dos_conn_enabled = 0;
 
/* Consensus parameters. They can be changed when a new consensus arrives.
 * They are initialized with the hardcoded default values. */
static uint32_t dos_conn_max_concurrent_count;
static dos_conn_defense_type_t dos_conn_defense_type;
static uint32_t dos_conn_connect_rate = DOS_CONN_CONNECT_RATE_DEFAULT;
static uint32_t dos_conn_connect_burst = DOS_CONN_CONNECT_BURST_DEFAULT;
static int32_t dos_conn_connect_defense_time_period =
  DOS_CONN_CONNECT_DEFENSE_TIME_PERIOD_DEFAULT;
 
/* Keep some stats for the heartbeat so we can report out. */
static uint64_t conn_num_addr_rejected;
static uint64_t conn_num_addr_connect_rejected;
 
/** Consensus parameter: How many times a client IP is allowed to hit the
 * circ_max_cell_queue_size_out limit before being marked. */
static uint32_t dos_num_circ_max_outq;
 
/*
 * Stream denial of service mitigation.
 *
 * Namespace used for this mitigation framework is "dos_stream_".
 */
 
/* Is the connection DoS mitigation enabled? */
static unsigned int dos_stream_enabled = 0;
 
/* Consensus parameters. They can be changed when a new consensus arrives.
 * They are initialized with the hardcoded default values. */
static dos_stream_defense_type_t dos_stream_defense_type;
static uint32_t dos_stream_rate = DOS_STREAM_RATE_DEFAULT;
static uint32_t dos_stream_burst = DOS_STREAM_BURST_DEFAULT;
 
/* Keep some stats for the heartbeat so we can report out. */
static uint64_t stream_num_rejected;
 
/*
 * General interface of the denial of service mitigation subsystem.
 */
 
/* Keep stats for the heartbeat. */
static uint64_t num_single_hop_client_refused;
 
/** Return the consensus parameter for the outbound circ_max_cell_queue_size
 * limit. */
static uint32_t
get_param_dos_num_circ_max_outq(const networkstatus_t *ns)
{
#define DOS_NUM_CIRC_MAX_OUTQ_DEFAULT 3
#define DOS_NUM_CIRC_MAX_OUTQ_MIN 0
#define DOS_NUM_CIRC_MAX_OUTQ_MAX INT32_MAX
 
  /* Update the circuit max cell queue size from the consensus. */
  return networkstatus_get_param(ns, "dos_num_circ_max_outq",
                                 DOS_NUM_CIRC_MAX_OUTQ_DEFAULT,
                                 DOS_NUM_CIRC_MAX_OUTQ_MIN,
                                 DOS_NUM_CIRC_MAX_OUTQ_MAX);
}
 
/* Return true iff the circuit creation mitigation is enabled. We look at the
 * consensus for this else a default value is returned. */
MOCK_IMPL(STATIC unsigned int,
get_param_cc_enabled, (const networkstatus_t *ns))
{
  if (dos_get_options()->DoSCircuitCreationEnabled != -1) {
    return dos_get_options()->DoSCircuitCreationEnabled;
  }
 
  return !!networkstatus_get_param(ns, "DoSCircuitCreationEnabled",
                                   DOS_CC_ENABLED_DEFAULT, 0, 1);
}
 
/* Return the parameter for the minimum concurrent connection at which we'll
 * start counting circuit for a specific client address. */
STATIC uint32_t
get_param_cc_min_concurrent_connection(const networkstatus_t *ns)
{
  if (dos_get_options()->DoSCircuitCreationMinConnections) {
    return dos_get_options()->DoSCircuitCreationMinConnections;
  }
  return networkstatus_get_param(ns, "DoSCircuitCreationMinConnections",
                                 DOS_CC_MIN_CONCURRENT_CONN_DEFAULT,
                                 1, INT32_MAX);
}
 
/* Return the parameter for the time rate that is how many circuits over this
 * time span. */
static uint32_t
get_param_cc_circuit_rate(const networkstatus_t *ns)
{
  /* This is in seconds. */
  if (dos_get_options()->DoSCircuitCreationRate) {
    return dos_get_options()->DoSCircuitCreationRate;
  }
  return networkstatus_get_param(ns, "DoSCircuitCreationRate",
                                 DOS_CC_CIRCUIT_RATE_DEFAULT,
                                 1, INT32_MAX);
}
 
/* Return the parameter for the maximum circuit count for the circuit time
 * rate. */
STATIC uint32_t
get_param_cc_circuit_burst(const networkstatus_t *ns)
{
  if (dos_get_options()->DoSCircuitCreationBurst) {
    return dos_get_options()->DoSCircuitCreationBurst;
  }
  return networkstatus_get_param(ns, "DoSCircuitCreationBurst",
                                 DOS_CC_CIRCUIT_BURST_DEFAULT,
                                 1, INT32_MAX);
}
 
/* Return the consensus parameter of the circuit creation defense type. */
static uint32_t
get_param_cc_defense_type(const networkstatus_t *ns)
{
  if (dos_get_options()->DoSCircuitCreationDefenseType) {
    return dos_get_options()->DoSCircuitCreationDefenseType;
  }
  return networkstatus_get_param(ns, "DoSCircuitCreationDefenseType",
                                 DOS_CC_DEFENSE_TYPE_DEFAULT,
                                 DOS_CC_DEFENSE_NONE, DOS_CC_DEFENSE_MAX);
}
 
/* Return the consensus parameter of the defense time period which is how much
 * time should we defend against a malicious client address. */
static int32_t
get_param_cc_defense_time_period(const networkstatus_t *ns)
{
  /* Time in seconds. */
  if (dos_get_options()->DoSCircuitCreationDefenseTimePeriod) {
    return dos_get_options()->DoSCircuitCreationDefenseTimePeriod;
  }
  return networkstatus_get_param(ns, "DoSCircuitCreationDefenseTimePeriod",
                                 DOS_CC_DEFENSE_TIME_PERIOD_DEFAULT,
                                 0, INT32_MAX);
}
 
/* Return true iff connection mitigation is enabled. We look at the consensus
 * for this else a default value is returned. */
MOCK_IMPL(STATIC unsigned int,
get_param_conn_enabled, (const networkstatus_t *ns))
{
  if (dos_get_options()->DoSConnectionEnabled != -1) {
    return dos_get_options()->DoSConnectionEnabled;
  }
  return !!networkstatus_get_param(ns, "DoSConnectionEnabled",
                                   DOS_CONN_ENABLED_DEFAULT, 0, 1);
}
 
/* Return the consensus parameter for the maximum concurrent connection
 * allowed. */
STATIC uint32_t
get_param_conn_max_concurrent_count(const networkstatus_t *ns)
{
  if (dos_get_options()->DoSConnectionMaxConcurrentCount) {
    return dos_get_options()->DoSConnectionMaxConcurrentCount;
  }
  return networkstatus_get_param(ns, "DoSConnectionMaxConcurrentCount",
                                 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT,
                                 1, INT32_MAX);
}
 
/* Return the consensus parameter of the connection defense type. */
static uint32_t
get_param_conn_defense_type(const networkstatus_t *ns)
{
  if (dos_get_options()->DoSConnectionDefenseType) {
    return dos_get_options()->DoSConnectionDefenseType;
  }
  return networkstatus_get_param(ns, "DoSConnectionDefenseType",
                                 DOS_CONN_DEFENSE_TYPE_DEFAULT,
                                 DOS_CONN_DEFENSE_NONE, DOS_CONN_DEFENSE_MAX);
}
 
/* Return the connection connect rate parameters either from the configuration
 * file or, if not found, consensus parameter. */
static uint32_t
get_param_conn_connect_rate(const networkstatus_t *ns)
{
  if (dos_get_options()->DoSConnectionConnectRate) {
    return dos_get_options()->DoSConnectionConnectRate;
  }
  return networkstatus_get_param(ns, "DoSConnectionConnectRate",
                                 DOS_CONN_CONNECT_RATE_DEFAULT,
                                 1, INT32_MAX);
}
 
/* Return the connection connect burst parameters either from the
 * configuration file or, if not found, consensus parameter. */
STATIC uint32_t
get_param_conn_connect_burst(const networkstatus_t *ns)
{
  if (dos_get_options()->DoSConnectionConnectBurst) {
    return dos_get_options()->DoSConnectionConnectBurst;
  }
  return networkstatus_get_param(ns, "DoSConnectionConnectBurst",
                                 DOS_CONN_CONNECT_BURST_DEFAULT,
                                 1, INT32_MAX);
}
 
/* Return the connection connect defense time period from the configuration
 * file or, if not found, the consensus parameter. */
static int32_t
get_param_conn_connect_defense_time_period(const networkstatus_t *ns)
{
  /* Time in seconds. */
  if (dos_get_options()->DoSConnectionConnectDefenseTimePeriod) {
    return dos_get_options()->DoSConnectionConnectDefenseTimePeriod;
  }
  return networkstatus_get_param(ns, "DoSConnectionConnectDefenseTimePeriod",
                                 DOS_CONN_CONNECT_DEFENSE_TIME_PERIOD_DEFAULT,
                                 DOS_CONN_CONNECT_DEFENSE_TIME_PERIOD_MIN,
                                 INT32_MAX);
}
 
/* Return true iff the stream creation mitigation is enabled. We look at the
 * consensus for this else a default value is returned. */
MOCK_IMPL(STATIC unsigned int,
get_param_stream_enabled, (const networkstatus_t *ns))
{
  if (dos_get_options()->DoSStreamCreationEnabled != -1) {
    return dos_get_options()->DoSStreamCreationEnabled;
  }
 
  return !!networkstatus_get_param(ns, "DoSStreamCreationEnabled",
                                   DOS_STREAM_ENABLED_DEFAULT, 0, 1);
}
 
/* Return the parameter for the time rate that is how many stream per circuit
 * over this time span. */
static uint32_t
get_param_stream_rate(const networkstatus_t *ns)
{
  /* This is in seconds. */
  if (dos_get_options()->DoSStreamCreationRate) {
    return dos_get_options()->DoSStreamCreationRate;
  }
  return networkstatus_get_param(ns, "DoSStreamCreationRate",
                                 DOS_STREAM_RATE_DEFAULT,
                                 1, INT32_MAX);
}
 
/* Return the parameter for the maximum circuit count for the circuit time
 * rate. */
static uint32_t
get_param_stream_burst(const networkstatus_t *ns)
{
  if (dos_get_options()->DoSStreamCreationBurst) {
    return dos_get_options()->DoSStreamCreationBurst;
  }
  return networkstatus_get_param(ns, "DoSStreamCreationBurst",
                                 DOS_STREAM_BURST_DEFAULT,
                                 1, INT32_MAX);
}
 
/* Return the consensus parameter of the circuit creation defense type. */
static uint32_t
get_param_stream_defense_type(const networkstatus_t *ns)
{
  if (dos_get_options()->DoSStreamCreationDefenseType) {
    return dos_get_options()->DoSStreamCreationDefenseType;
  }
  return networkstatus_get_param(ns, "DoSStreamCreationDefenseType",
                                 DOS_STREAM_DEFENSE_TYPE_DEFAULT,
                                 DOS_STREAM_DEFENSE_NONE,
                                 DOS_STREAM_DEFENSE_MAX);
}
 
/* Set circuit creation parameters located in the consensus or their default
 * if none are present. Called at initialization or when the consensus
 * changes. */
static void
set_dos_parameters(const networkstatus_t *ns)
{
  /* Get the default consensus param values. */
  dos_cc_enabled = get_param_cc_enabled(ns);
  dos_cc_min_concurrent_conn = get_param_cc_min_concurrent_connection(ns);
  dos_cc_circuit_rate = get_param_cc_circuit_rate(ns);
  dos_cc_circuit_burst = get_param_cc_circuit_burst(ns);
  dos_cc_defense_time_period = get_param_cc_defense_time_period(ns);
  dos_cc_defense_type = get_param_cc_defense_type(ns);
 
  /* Connection detection. */
  dos_conn_enabled = get_param_conn_enabled(ns);
  dos_conn_max_concurrent_count = get_param_conn_max_concurrent_count(ns);
  dos_conn_defense_type = get_param_conn_defense_type(ns);
  dos_conn_connect_rate = get_param_conn_connect_rate(ns);
  dos_conn_connect_burst = get_param_conn_connect_burst(ns);
  dos_conn_connect_defense_time_period =
    get_param_conn_connect_defense_time_period(ns);
 
  /* Circuit. */
  dos_num_circ_max_outq = get_param_dos_num_circ_max_outq(ns);
 
  /* Stream. */
  dos_stream_enabled = get_param_stream_enabled(ns);
  dos_stream_defense_type = get_param_stream_defense_type(ns);
  dos_stream_rate = get_param_stream_rate(ns);
  dos_stream_burst = get_param_stream_burst(ns);
}
 
/* Free everything for the circuit creation DoS mitigation subsystem. */
static void
cc_free_all(void)
{
  /* If everything is freed, the circuit creation subsystem is not enabled. */
  dos_cc_enabled = 0;
}
 
/* Called when the consensus has changed. Do appropriate actions for the
 * circuit creation subsystem. */
static void
cc_consensus_has_changed(const networkstatus_t *ns)
{
  /* Looking at the consensus, is the circuit creation subsystem enabled? If
   * not and it was enabled before, clean it up. */
  if (dos_cc_enabled && !get_param_cc_enabled(ns)) {
    cc_free_all();
  }
}
 
/** Return the number of circuits we allow per second under the current
 *  configuration. */
STATIC uint64_t
get_circuit_rate_per_second(void)
{
  return dos_cc_circuit_rate;
}
 
/* Given the circuit creation client statistics object, refill the circuit
 * bucket if needed. This also works if the bucket was never filled in the
 * first place. The addr is only used for logging purposes. */
STATIC void
cc_stats_refill_bucket(cc_client_stats_t *stats, const tor_addr_t *addr)
{
  uint32_t new_circuit_bucket_count;
  uint64_t num_token, elapsed_time_last_refill = 0, circuit_rate = 0;
  time_t now;
  int64_t last_refill_ts;
 
  tor_assert(stats);
  tor_assert(addr);
 
  now = approx_time();
  last_refill_ts = (int64_t)stats->last_circ_bucket_refill_ts;
 
  /* If less than a second has elapsed, don't add any tokens.
   * Note: If a relay's clock is ever 0, any new clients won't get a refill
   * until the next second. But a relay that thinks it is 1970 will never
   * validate the public consensus. */
  if ((int64_t)now == last_refill_ts) {
    goto done;
  }
 
  /* At this point, we know we might need to add token to the bucket. We'll
   * first get the circuit rate that is how many circuit are we allowed to do
   * per second. */
  circuit_rate = get_circuit_rate_per_second();
 
  /* We've never filled the bucket so fill it with the maximum being the burst
   * and we are done.
   * Note: If a relay's clock is ever 0, all clients that were last refilled
   * in that zero second will get a full refill here. */
  if (last_refill_ts == 0) {
    num_token = dos_cc_circuit_burst;
    goto end;
  }
 
  /* Our clock jumped backward so fill it up to the maximum. Not filling it
   * could trigger a detection for a valid client. Also, if the clock jumped
   * negative but we didn't notice until the elapsed time became positive
   * again, then we potentially spent many seconds not refilling the bucket
   * when we should have been refilling it. But the fact that we didn't notice
   * until now means that no circuit creation requests came in during that
   * time, so the client doesn't end up punished that much from this hopefully
   * rare situation.*/
  if ((int64_t)now < last_refill_ts) {
    /* Use the maximum allowed value of token. */
    num_token = dos_cc_circuit_burst;
    goto end;
  }
 
  /* How many seconds have elapsed between now and the last refill?
   * This subtraction can't underflow, because now >= last_refill_ts.
   * And it can't overflow, because INT64_MAX - (-INT64_MIN) == UINT64_MAX. */
  elapsed_time_last_refill = (uint64_t)now - last_refill_ts;
 
  /* If the elapsed time is very large, it means our clock jumped forward.
   * If the multiplication would overflow, use the maximum allowed value. */
  if (elapsed_time_last_refill > UINT32_MAX) {
    num_token = dos_cc_circuit_burst;
    goto end;
  }
 
  /* Compute how many circuits we are allowed in that time frame which we'll
   * add to the bucket. This can't overflow, because both multiplicands
   * are less than or equal to UINT32_MAX, and num_token is uint64_t. */
  num_token = elapsed_time_last_refill * circuit_rate;
 
 end:
  /* If the sum would overflow, use the maximum allowed value. */
  if (num_token > UINT32_MAX - stats->circuit_bucket) {
    new_circuit_bucket_count = dos_cc_circuit_burst;
  } else {
    /* We cap the bucket to the burst value else this could overflow uint32_t
     * over time. */
    new_circuit_bucket_count = MIN(stats->circuit_bucket + (uint32_t)num_token,
                                   dos_cc_circuit_burst);
  }
 
  /* This function is not allowed to make the bucket count larger than the
   * burst value */
  tor_assert_nonfatal(new_circuit_bucket_count <= dos_cc_circuit_burst);
  /* This function is not allowed to make the bucket count smaller, unless it
   * is decreasing it to a newly configured, lower burst value. We allow the
   * bucket to stay the same size, in case the circuit rate is zero. */
  tor_assert_nonfatal(new_circuit_bucket_count >= stats->circuit_bucket ||
                      new_circuit_bucket_count == dos_cc_circuit_burst);
 
  log_debug(LD_DOS, "DoS address %s has its circuit bucket value: %" PRIu32
                    ". Filling it to %" PRIu32 ". Circuit rate is %" PRIu64
                    ". Elapsed time is %" PRIi64,
            fmt_addr(addr), stats->circuit_bucket, new_circuit_bucket_count,
            circuit_rate, (int64_t)elapsed_time_last_refill);
 
  stats->circuit_bucket = new_circuit_bucket_count;
  stats->last_circ_bucket_refill_ts = now;
 
 done:
  return;
}
 
/* Return true iff the circuit bucket is down to 0 and the number of
 * concurrent connections is greater or equal the minimum threshold set the
 * consensus parameter. */
static int
cc_has_exhausted_circuits(const dos_client_stats_t *stats)
{
  tor_assert(stats);
  return stats->cc_stats.circuit_bucket == 0 &&
         stats->conn_stats.concurrent_count >= dos_cc_min_concurrent_conn;
}
 
/* Mark client address by setting a timestamp in the stats object which tells
 * us until when it is marked as positively detected. */
static void
cc_mark_client(cc_client_stats_t *stats)
{
  tor_assert(stats);
  /* We add a random offset of a maximum of half the defense time so it is
   * less predictable. */
  stats->marked_until_ts =
    approx_time() + dos_cc_defense_time_period +
    crypto_rand_int_range(1, dos_cc_defense_time_period / 2);
}
 
/* Return true iff the given channel address is marked as malicious. This is
 * called a lot and part of the fast path of handling cells. It has to remain
 * as fast as we can. */
static int
cc_channel_addr_is_marked(channel_t *chan)
{
  time_t now;
  tor_addr_t addr;
  clientmap_entry_t *entry;
  cc_client_stats_t *stats = NULL;
 
  if (chan == NULL) {
    goto end;
  }
  /* Must be a client connection else we ignore. */
  if (!channel_is_client(chan)) {
    goto end;
  }
  /* Without an IP address, nothing can work. */
  if (!channel_get_addr_if_possible(chan, &addr)) {
    goto end;
  }
 
  /* We are only interested in client connection from the geoip cache. */
  entry = geoip_lookup_client(&addr, NULL, GEOIP_CLIENT_CONNECT);
  if (entry == NULL) {
    /* We can have a connection creating circuits but not tracked by the geoip
     * cache. Once this DoS subsystem is enabled, we can end up here with no
     * entry for the channel. */
    goto end;
  }
  now = approx_time();
  stats = &entry->dos_stats.cc_stats;
 
 end:
  return stats && stats->marked_until_ts >= now;
}
 
/* Concurrent connection private API. */
 
/* Mark client connection stats by setting a timestamp which tells us until
 * when it is marked as positively detected. */
static void
conn_mark_client(conn_client_stats_t *stats)
{
  tor_assert(stats);
 
  /* We add a random offset of a maximum of half the defense time so it is
   * less predictable and thus more difficult to game. */
  stats->marked_until_ts =
    approx_time() + dos_conn_connect_defense_time_period +
    crypto_rand_int_range(1, dos_conn_connect_defense_time_period / 2);
}
 
/* Free everything for the connection DoS mitigation subsystem. */
static void
conn_free_all(void)
{
  dos_conn_enabled = 0;
}
 
/* Called when the consensus has changed. Do appropriate actions for the
 * connection mitigation subsystem. */
static void
conn_consensus_has_changed(const networkstatus_t *ns)
{
  /* Looking at the consensus, is the connection mitigation subsystem enabled?
   * If not and it was enabled before, clean it up. */
  if (dos_conn_enabled && !get_param_conn_enabled(ns)) {
    conn_free_all();
  }
}
 
/** Called when a new client connection has arrived. The following will update
 * the client connection statistics.
 *
 * The addr is used for logging purposes only.
 *
 * If the connect counter reaches its limit, it is marked. */
static void
conn_update_on_connect(conn_client_stats_t *stats, const tor_addr_t *addr)
{
  tor_assert(stats);
  tor_assert(addr);
 
  /* Update concurrent count for this new connect. */
  stats->concurrent_count++;
 
  /* Refill connect connection count. */
  token_bucket_ctr_refill(&stats->connect_count,
                          (uint32_t) monotime_coarse_absolute_sec());
 
  /* Decrement counter for this new connection. */
  if (token_bucket_ctr_get(&stats->connect_count) > 0) {
    token_bucket_ctr_dec(&stats->connect_count, 1);
  }
 
  /* Assess connect counter. Mark it if counter is down to 0 and we haven't
   * marked it before or it was reset. This is to avoid to re-mark it over and
   * over again extending continuously the blocked time. */
  if (token_bucket_ctr_get(&stats->connect_count) == 0 &&
      stats->marked_until_ts == 0) {
    conn_mark_client(stats);
  }
 
  log_debug(LD_DOS, "Client address %s has now %u concurrent connections. "
                    "Remaining %" TOR_PRIuSZ "/sec connections are allowed.",
            fmt_addr(addr), stats->concurrent_count,
            token_bucket_ctr_get(&stats->connect_count));
}
 
/** Called when a client connection is closed. The following will update
 * the client connection statistics.
 *
 * The addr is used for logging purposes only. */
static void
conn_update_on_close(conn_client_stats_t *stats, const tor_addr_t *addr)
{
  /* Extra super duper safety. Going below 0 means an underflow which could
   * lead to most likely a false positive. In theory, this should never happen
   * but let's be extra safe. */
  if (BUG(stats->concurrent_count == 0)) {
    return;
  }
 
  stats->concurrent_count--;
  log_debug(LD_DOS, "Client address %s has lost a connection. Concurrent "
                    "connections are now at %u",
            fmt_addr(addr), stats->concurrent_count);
}
 
/* General private API */
 
/* Return true iff we have at least one DoS detection enabled. This is used to
 * decide if we need to allocate any kind of high level DoS object. */
static inline int
dos_is_enabled(void)
{
  return (dos_cc_enabled || dos_conn_enabled);
}
 
/* Circuit creation public API. */
 
/** Return the number of rejected circuits. */
uint64_t
dos_get_num_cc_rejected(void)
{
  return cc_num_rejected_cells;
}
 
/** Return the number of marked addresses. */
uint32_t
dos_get_num_cc_marked_addr(void)
{
  return cc_num_marked_addrs;
}
 
/** Return the number of marked addresses due to max queue limit reached. */
uint32_t
dos_get_num_cc_marked_addr_maxq(void)
{
  return cc_num_marked_addrs_max_queue;
}
 
/** Return number of concurrent connections rejected. */
uint64_t
dos_get_num_conn_addr_rejected(void)
{
  return conn_num_addr_rejected;
}
 
/** Return the number of connection rejected. */
uint64_t
dos_get_num_conn_addr_connect_rejected(void)
{
  return conn_num_addr_connect_rejected;
}
 
/** Return the number of single hop refused. */
uint64_t
dos_get_num_single_hop_refused(void)
{
  return num_single_hop_client_refused;
}
 
/* Called when a CREATE cell is received from the given channel. */
void
dos_cc_new_create_cell(channel_t *chan)
{
  tor_addr_t addr;
  clientmap_entry_t *entry;
 
  tor_assert(chan);
 
  /* Skip everything if not enabled. */
  if (!dos_cc_enabled) {
    goto end;
  }
 
  /* Must be a client connection else we ignore. */
  if (!channel_is_client(chan)) {
    goto end;
  }
  /* Without an IP address, nothing can work. */
  if (!channel_get_addr_if_possible(chan, &addr)) {
    goto end;
  }
 
  /* We are only interested in client connection from the geoip cache. */
  entry = geoip_lookup_client(&addr, NULL, GEOIP_CLIENT_CONNECT);
  if (entry == NULL) {
    /* We can have a connection creating circuits but not tracked by the geoip
     * cache. Once this DoS subsystem is enabled, we can end up here with no
     * entry for the channel. */
    goto end;
  }
 
  /* General comment. Even though the client can already be marked as
   * malicious, we continue to track statistics. If it keeps going above
   * threshold while marked, the defense period time will grow longer. There
   * is really no point at unmarking a client that keeps DoSing us. */
 
  /* First of all, we'll try to refill the circuit bucket opportunistically
   * before we assess. */
  cc_stats_refill_bucket(&entry->dos_stats.cc_stats, &addr);
 
  /* Take a token out of the circuit bucket if we are above 0 so we don't
   * underflow the bucket. */
  if (entry->dos_stats.cc_stats.circuit_bucket > 0) {
    entry->dos_stats.cc_stats.circuit_bucket--;
  }
 
  /* This is the detection. Assess at every CREATE cell if the client should
   * get marked as malicious. This should be kept as fast as possible. */
  if (cc_has_exhausted_circuits(&entry->dos_stats)) {
    /* If this is the first time we mark this entry, log it.
     * Under heavy DDoS, logging each time we mark would results in lots and
     * lots of logs. */
    if (entry->dos_stats.cc_stats.marked_until_ts == 0) {
      log_debug(LD_DOS, "Detected circuit creation DoS by address: %s",
                fmt_addr(&addr));
      cc_num_marked_addrs++;
    }
    cc_mark_client(&entry->dos_stats.cc_stats);
  }
 
 end:
  return;
}
 
/* Return the defense type that should be used for this circuit.
 *
 * This is part of the fast path and called a lot. */
dos_cc_defense_type_t
dos_cc_get_defense_type(channel_t *chan)
{
  tor_assert(chan);
 
  /* Skip everything if not enabled. */
  if (!dos_cc_enabled) {
    goto end;
  }
 
  /* On an OR circuit, we'll check if the previous channel is a marked client
   * connection detected by our DoS circuit creation mitigation subsystem. */
  if (cc_channel_addr_is_marked(chan)) {
    /* We've just assess that this circuit should trigger a defense for the
     * cell it just seen. Note it down. */
    cc_num_rejected_cells++;
    return dos_cc_defense_type;
  }
 
 end:
  return DOS_CC_DEFENSE_NONE;
}
 
/* Concurrent connection detection public API. */
 
/* Return true iff the given address is permitted to open another connection.
 * A defense value is returned for the caller to take appropriate actions. */
dos_conn_defense_type_t
dos_conn_addr_get_defense_type(const tor_addr_t *addr)
{
  clientmap_entry_t *entry;
 
  tor_assert(addr);
 
  /* Skip everything if not enabled. */
  if (!dos_conn_enabled) {
    goto end;
  }
 
  /* We are only interested in client connection from the geoip cache. */
  entry = geoip_lookup_client(addr, NULL, GEOIP_CLIENT_CONNECT);
  if (entry == NULL) {
    goto end;
  }
 
  /* Is this address marked as making too many client connections? */
  if (entry->dos_stats.conn_stats.marked_until_ts >= approx_time()) {
    conn_num_addr_connect_rejected++;
    return dos_conn_defense_type;
  }
  /* Reset it to 0 here so that if the marked timestamp has expired that is
   * we've gone beyond it, we have to reset it so the detection can mark it
   * again in the future. */
  entry->dos_stats.conn_stats.marked_until_ts = 0;
 
  /* Need to be above the maximum concurrent connection count to trigger a
   * defense. */
  if (entry->dos_stats.conn_stats.concurrent_count >
      dos_conn_max_concurrent_count) {
    conn_num_addr_rejected++;
    return dos_conn_defense_type;
  }
 
 end:
  return DOS_CONN_DEFENSE_NONE;
}
 
/* Stream creation public API. */
 
/** Return the number of rejected stream and resolve. */
uint64_t
dos_get_num_stream_rejected(void)
{
  return stream_num_rejected;
}
 
/* Return the action to take against a BEGIN or RESOLVE cell. Return
 *  DOS_STREAM_DEFENSE_NONE when no action should be taken.
 *  Increment the appropriate counter when the cell was found to go over a
 *  limit. */
dos_stream_defense_type_t
dos_stream_new_begin_or_resolve_cell(or_circuit_t *circ)
{
  if (!dos_stream_enabled || circ == NULL)
    return DOS_STREAM_DEFENSE_NONE;
 
  token_bucket_ctr_refill(&circ->stream_limiter,
                          (uint32_t) monotime_coarse_absolute_sec());
 
  if (token_bucket_ctr_get(&circ->stream_limiter) > 0) {
    token_bucket_ctr_dec(&circ->stream_limiter, 1);
    return DOS_STREAM_DEFENSE_NONE;
  }
  /* if defense type is DOS_STREAM_DEFENSE_NONE but DoSStreamEnabled is true,
   * we count offending cells as rejected, despite them being actually
   * accepted. */
  ++stream_num_rejected;
  return dos_stream_defense_type;
}
 
/* Initialize the token bucket for stream rate limit on a circuit. */
void
dos_stream_init_circ_tbf(or_circuit_t *circ)
{
  token_bucket_ctr_init(&circ->stream_limiter, dos_stream_rate,
                        dos_stream_burst,
                        (uint32_t) monotime_coarse_absolute_sec());
}
 
/* General API */
 
/* Take any appropriate actions for the given geoip entry that is about to get
 * freed. This is called for every entry that is being freed.
 *
 * This function will clear out the connection tracked flag if the concurrent
 * count of the entry is above 0 so if those connections end up being seen by
 * this subsystem, we won't try to decrement the counter for a new geoip entry
 * that might have been added after this call for the same address. */
void
dos_geoip_entry_about_to_free(const clientmap_entry_t *geoip_ent)
{
  tor_assert(geoip_ent);
 
  /* The count is down to 0 meaning no connections right now, we can safely
   * clear the geoip entry from the cache. */
  if (geoip_ent->dos_stats.conn_stats.concurrent_count == 0) {
    goto end;
  }
 
  /* For each connection matching the geoip entry address, we'll clear the
   * tracked flag because the entry is about to get removed from the geoip
   * cache. We do not try to decrement if the flag is not set. */
  SMARTLIST_FOREACH_BEGIN(get_connection_array(), connection_t *, conn) {
    if (conn->type == CONN_TYPE_OR) {
      or_connection_t *or_conn = TO_OR_CONN(conn);
      if (!tor_addr_compare(&geoip_ent->addr, &TO_CONN(or_conn)->addr,
                            CMP_EXACT)) {
        or_conn->tracked_for_dos_mitigation = 0;
      }
    }
  } SMARTLIST_FOREACH_END(conn);
 
 end:
  return;
}
 
/** A new geoip client entry has been allocated, initialize its DoS object. */
void
dos_geoip_entry_init(clientmap_entry_t *geoip_ent)
{
  tor_assert(geoip_ent);
 
  /* Initialize the connection count counter with the rate and burst
   * parameters taken either from configuration or consensus.
   *
   * We do this even if the DoS connection detection is not enabled because it
   * can be enabled at runtime and these counters need to be valid. */
  token_bucket_ctr_init(&geoip_ent->dos_stats.conn_stats.connect_count,
                        dos_conn_connect_rate, dos_conn_connect_burst,
                        (uint32_t) monotime_coarse_absolute_sec());
}
 
/** Note that the given channel has sent outbound the maximum amount of cell
 * allowed on the next channel. */
void
dos_note_circ_max_outq(const channel_t *chan)
{
  tor_addr_t addr;
  clientmap_entry_t *entry;
 
  tor_assert(chan);
 
  /* Skip everything if circuit creation defense is disabled. */
  if (!dos_cc_enabled) {
    goto end;
  }
 
  /* Must be a client connection else we ignore. */
  if (!channel_is_client(chan)) {
    goto end;
  }
  /* Without an IP address, nothing can work. */
  if (!channel_get_addr_if_possible(chan, &addr)) {
    goto end;
  }
 
  /* We are only interested in client connection from the geoip cache. */
  entry = geoip_lookup_client(&addr, NULL, GEOIP_CLIENT_CONNECT);
  if (entry == NULL) {
    goto end;
  }
 
  /* Is the client marked? If yes, just ignore. */
  if (entry->dos_stats.cc_stats.marked_until_ts >= approx_time()) {
    goto end;
  }
 
  /* If max outq parameter is 0, it means disabled, just ignore. */
  if (dos_num_circ_max_outq == 0) {
    goto end;
  }
 
  entry->dos_stats.num_circ_max_cell_queue_size++;
 
  /* This is the detection. If we have reached the maximum amount of times a
   * client IP is allowed to reach this limit, mark client. */
  if (entry->dos_stats.num_circ_max_cell_queue_size >=
      dos_num_circ_max_outq) {
    /* Only account for this marked address if this is the first time we block
     * it else our counter is inflated with non unique entries. */
    if (entry->dos_stats.cc_stats.marked_until_ts == 0) {
      cc_num_marked_addrs_max_queue++;
    }
    log_info(LD_DOS, "Detected outbound max circuit queue from addr: %s",
             fmt_addr(&addr));
    cc_mark_client(&entry->dos_stats.cc_stats);
 
    /* Reset after being marked so once unmarked, we start back clean. */
    entry->dos_stats.num_circ_max_cell_queue_size = 0;
  }
 
 end:
  return;
}
 
/* Note down that we've just refused a single hop client. This increments a
 * counter later used for the heartbeat. */
void
dos_note_refuse_single_hop_client(void)
{
  num_single_hop_client_refused++;
}
 
/* Return true iff single hop client connection (ESTABLISH_RENDEZVOUS) should
 * be refused. */
int
dos_should_refuse_single_hop_client(void)
{
  /* If we aren't a public relay, this shouldn't apply to anything. */
  if (!public_server_mode(get_options())) {
    return 0;
  }
 
  if (dos_get_options()->DoSRefuseSingleHopClientRendezvous != -1) {
    return dos_get_options()->DoSRefuseSingleHopClientRendezvous;
  }
 
  return (int) networkstatus_get_param(NULL,
                                       "DoSRefuseSingleHopClientRendezvous",
                                       0 /* default */, 0, 1);
}
 
/* Log a heartbeat message with some statistics. */
void
dos_log_heartbeat(void)
{
  smartlist_t *elems = smartlist_new();
 
  /* Stats number coming from relay.c append_cell_to_circuit_queue(). */
  smartlist_add_asprintf(elems,
                         "%" PRIu64 " circuits killed with too many cells",
                         stats_n_circ_max_cell_reached);
 
  if (dos_cc_enabled) {
    smartlist_add_asprintf(elems,
                           "%" PRIu64 " circuits rejected, "
                           "%" PRIu32 " marked addresses, "
                           "%" PRIu32 " marked addresses for max queue",
                           cc_num_rejected_cells, cc_num_marked_addrs,
                           cc_num_marked_addrs_max_queue);
  } else {
    smartlist_add_asprintf(elems, "[DoSCircuitCreationEnabled disabled]");
  }
 
  if (dos_conn_enabled) {
    smartlist_add_asprintf(elems,
                           "%" PRIu64 " same address concurrent "
                           "connections rejected", conn_num_addr_rejected);
    smartlist_add_asprintf(elems,
                           "%" PRIu64 " connections rejected",
                           conn_num_addr_connect_rejected);
  } else {
    smartlist_add_asprintf(elems, "[DoSConnectionEnabled disabled]");
  }
 
  if (dos_should_refuse_single_hop_client()) {
    smartlist_add_asprintf(elems,
                           "%" PRIu64 " single hop clients refused",
                           num_single_hop_client_refused);
  } else {
    smartlist_add_asprintf(elems,
                           "[DoSRefuseSingleHopClientRendezvous disabled]");
  }
 
  if (dos_stream_enabled) {
    smartlist_add_asprintf(elems,
                           "%" PRIu64 " stream rejected",
                           stream_num_rejected);
  } else {
    smartlist_add_asprintf(elems, "[DoSStreamCreationEnabled disabled]");
  }
 
  /* HS DoS stats. */
  smartlist_add_asprintf(elems,
                         "%" PRIu64 " INTRODUCE2 rejected",
                         hs_dos_get_intro2_rejected_count());
 
  char *msg = smartlist_join_strings(elems, ", ", 0, NULL);
 
  log_notice(LD_HEARTBEAT,
             "Heartbeat: DoS mitigation since startup: %s.", msg);
 
  tor_free(msg);
  SMARTLIST_FOREACH(elems, char *, e, tor_free(e));
  smartlist_free(elems);
}
 
/* Called when a new client connection has been established on the given
 * address. */
void
dos_new_client_conn(or_connection_t *or_conn, const char *transport_name)
{
  clientmap_entry_t *entry;
 
  tor_assert(or_conn);
  tor_assert_nonfatal(!or_conn->tracked_for_dos_mitigation);
 
  /* Past that point, we know we have at least one DoS detection subsystem
   * enabled so we'll start allocating stuff. */
  if (!dos_is_enabled()) {
    goto end;
  }
 
  /* We are only interested in client connection from the geoip cache. */
  entry = geoip_lookup_client(&TO_CONN(or_conn)->addr, transport_name,
                              GEOIP_CLIENT_CONNECT);
  if (BUG(entry == NULL)) {
    /* Should never happen because we note down the address in the geoip
     * cache before this is called. */
    goto end;
  }
 
  /* Update stats from this new connect. */
  conn_update_on_connect(&entry->dos_stats.conn_stats,
                         &TO_CONN(or_conn)->addr);
 
  or_conn->tracked_for_dos_mitigation = 1;
 
 end:
  return;
}
 
/* Called when a client connection for the given IP address has been closed. */
void
dos_close_client_conn(const or_connection_t *or_conn)
{
  clientmap_entry_t *entry;
 
  tor_assert(or_conn);
 
  /* We have to decrement the count on tracked connection only even if the
   * subsystem has been disabled at runtime because it might be re-enabled
   * after and we need to keep a synchronized counter at all time. */
  if (!or_conn->tracked_for_dos_mitigation) {
    goto end;
  }
 
  /* We are only interested in client connection from the geoip cache. */
  entry = geoip_lookup_client(&TO_CONN(or_conn)->addr, NULL,
                              GEOIP_CLIENT_CONNECT);
  if (entry == NULL) {
    /* This can happen because we can close a connection before the channel
     * got to be noted down in the geoip cache. */
    goto end;
  }
 
  /* Update stats from this new close. */
  conn_update_on_close(&entry->dos_stats.conn_stats, &TO_CONN(or_conn)->addr);
 
 end:
  return;
}
 
/* Called when the consensus has changed. We might have new consensus
 * parameters to look at. */
void
dos_consensus_has_changed(const networkstatus_t *ns)
{
  /* There are two ways to configure this subsystem, one at startup through
   * dos_init() which is called when the options are parsed. And this one
   * through the consensus. We don't want to enable any DoS mitigation if we
   * aren't a public relay. */
  if (!public_server_mode(get_options())) {
    return;
  }
 
  cc_consensus_has_changed(ns);
  conn_consensus_has_changed(ns);
 
  /* We were already enabled or we just became enabled but either way, set the
   * consensus parameters for all subsystems. */
  set_dos_parameters(ns);
}
 
/* Return true iff the DoS mitigation subsystem is enabled. */
int
dos_enabled(void)
{
  return dos_is_enabled();
}
 
/* Free everything from the Denial of Service subsystem. */
void
dos_free_all(void)
{
  /* Free the circuit creation mitigation subsystem. It is safe to do this
   * even if it wasn't initialized. */
  cc_free_all();
 
  /* Free the connection mitigation subsystem. It is safe to do this even if
   * it wasn't initialized. */
  conn_free_all();
}
 
/* Initialize the Denial of Service subsystem. */
void
dos_init(void)
{
  /* To initialize, we only need to get the parameters. */
  set_dos_parameters(NULL);
}