premiere
/
premiere-libtorrent
2
2
Fork 1
Code Issues Pull Requests Releases Wiki Activity

make DHT dos mitigation parameters configurable via dht_settings

This commit is contained in:
Arvid Norberg 2015-01-01 23:24:21 +00:00
parent 5c04eb7d00
commit dbf461ac23
4 changed files with 50 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
include/libtorrent/kademlia/dos_blocker.hpp
View File

@ -36,12 +36,13 @@ POSSIBILITY OF SUCH DAMAGE.
#include "libtorrent/config.hpp" #include "libtorrent/config.hpp"
#include "libtorrent/time.hpp" #include "libtorrent/time.hpp"
#include "libtorrent/address.hpp" #include "libtorrent/address.hpp"
#include "libtorrent/assert.hpp"
namespace libtorrent { namespace dht namespace libtorrent { namespace dht
{ {
// this is a class that maintains a list of abusive DHT nodes, // this is a class that maintains a list of abusive DHT nodes,
// blocking their access to our DHT node. // blocking their access to our DHT node.
struct TORRENT_EXTRA_EXPORT dos_blocker struct TORRENT_EXTRA_EXPORT dos_blocker
{ {
dos_blocker(); dos_blocker();
@ -51,6 +52,18 @@ namespace libtorrent { namespace dht
// it's blocked // it's blocked
bool incoming(address addr, ptime now); bool incoming(address addr, ptime now);
void set_rate_limit(int l)
{
TORRENT_ASSERT(l > 0);
m_message_rate_limit = l;
}
void set_block_timer(int t)
{
TORRENT_ASSERT(t > 0);
m_block_timeout = t;
}
private: private:
// used to ignore abusive dht nodes // used to ignore abusive dht nodes
@ -64,12 +77,17 @@ namespace libtorrent { namespace dht
enum { num_ban_nodes = 20 }; enum { num_ban_nodes = 20 };
// the max number of packets we can receive per second from a node before
// we block it.
int m_message_rate_limit;
// the number of seconds a node gets blocked for when it exceeds the rate
// limit
int m_block_timeout;
node_ban_entry m_ban_nodes[num_ban_nodes]; node_ban_entry m_ban_nodes[num_ban_nodes];
}; };
}}
}
}
#endif #endif

11
include/libtorrent/session_settings.hpp
View File

@ -1495,6 +1495,8 @@ namespace libtorrent
, privacy_lookups(false) , privacy_lookups(false)
, enforce_node_id(false) , enforce_node_id(false)
, ignore_dark_internet(true) , ignore_dark_internet(true)
, block_timeout(5 * 60)
, block_ratelimit(5)
{} {}
// the maximum number of peers to send in a reply to ``get_peers`` // the maximum number of peers to send in a reply to ``get_peers``
@ -1571,6 +1573,15 @@ namespace libtorrent
// ignore DHT messages from parts of the internet we wouldn't expect to // ignore DHT messages from parts of the internet we wouldn't expect to
// see any traffic from // see any traffic from
bool ignore_dark_internet; bool ignore_dark_internet;
// the number of seconds a DHT node is banned if it exceeds the rate
// limit. The rate limit is averaged over 10 seconds to allow for bursts
// above the limit.
int block_timeout;
// the max number of packets per second a DHT node is allowed to send
// without getting banned.
int block_ratelimit;
}; };

5
src/kademlia/dht_tracker.cpp
View File

@ -287,6 +287,11 @@ namespace libtorrent { namespace dht
if (e || m_abort) return; if (e || m_abort) return;
m_dht.tick(); m_dht.tick();
// periodically update the DOS blocker's settings from the dht_settings
m_blocker.set_block_timer(m_settings.block_timeout);
m_blocker.set_rate_limit(m_settings.block_ratelimit);
error_code ec; error_code ec;
m_refresh_timer.expires_from_now(seconds(5), ec); m_refresh_timer.expires_from_now(seconds(5), ec);
m_refresh_timer.async_wait( m_refresh_timer.async_wait(

20
src/kademlia/dos_blocker.cpp
View File

@ -44,6 +44,8 @@ namespace libtorrent { namespace dht
#endif #endif
dos_blocker::dos_blocker() dos_blocker::dos_blocker()
: m_message_rate_limit(5)
, m_block_timeout(5 * 60)
{ {
for (int i = 0; i < num_ban_nodes; ++i) for (int i = 0; i < num_ban_nodes; ++i)
{ {
@ -72,28 +74,27 @@ namespace libtorrent { namespace dht
{ {
++match->count; ++match->count;
// TODO: 2 make these limits configurable if (match->count >= m_message_rate_limit * 10)
if (match->count >= 50)
{ {
if (now < match->limit) if (now < match->limit)
{ {
if (match->count == 50) if (match->count == m_message_rate_limit * 10)
{ {
#ifdef TORRENT_DHT_VERBOSE_LOGGING #ifdef TORRENT_DHT_VERBOSE_LOGGING
TORRENT_LOG(dht_tracker) << " BANNING PEER [ ip: " TORRENT_LOG(dht_tracker) << " BANNING PEER [ ip: "
<< addr << " time: " << total_milliseconds((now - match->limit) + seconds(10)) / 1000.f << addr << " time: " << total_milliseconds((now - match->limit) + seconds(10)) / 1000.f
<< " count: " << match->count << " ]"; << " count: " << match->count << " ]";
#endif #endif
// we've received 50 messages in less than 10 seconds from // we've received too many messages in less than 10 seconds
// this node. Ignore it until it's silent for 5 minutes // from this node. Ignore it until it's silent for 5 minutes
match->limit = now + minutes(5); match->limit = now + seconds(m_block_timeout);
} }
return false; return false;
} }
// we got 50 messages from this peer, but it was in // the messages we received from this peer took more than 10
// more than 10 seconds. Reset the counter and the timer // seconds. Reset the counter and the timer
match->count = 0; match->count = 0;
match->limit = now + seconds(10); match->limit = now + seconds(10);
} }
@ -106,6 +107,5 @@ namespace libtorrent { namespace dht
} }
return true; return true;
} }
} }}
}