Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic.c @ 8882:6204120cf37f quic
QUIC: traffic-based flood detection.
With this patch, all traffic over a QUIC connection is compared to traffic
over QUIC streams. As long as total traffic is many times larger than stream
traffic, we consider this to be a flood.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Wed, 13 Oct 2021 14:41:46 +0300 |
parents | c4f249d485e3 |
children | d041b8d6ab0b |
comparison
equal
deleted
inserted
replaced
8881:72b304f6207c | 8882:6204120cf37f |
---|---|
663 | 663 |
664 | 664 |
665 static ngx_int_t | 665 static ngx_int_t |
666 ngx_quic_input(ngx_connection_t *c, ngx_buf_t *b, ngx_quic_conf_t *conf) | 666 ngx_quic_input(ngx_connection_t *c, ngx_buf_t *b, ngx_quic_conf_t *conf) |
667 { | 667 { |
668 u_char *p; | 668 size_t size; |
669 ngx_int_t rc; | 669 u_char *p; |
670 ngx_uint_t good; | 670 ngx_int_t rc; |
671 ngx_quic_header_t pkt; | 671 ngx_uint_t good; |
672 ngx_quic_header_t pkt; | |
673 ngx_quic_connection_t *qc; | |
672 | 674 |
673 good = 0; | 675 good = 0; |
676 | |
677 size = b->last - b->pos; | |
674 | 678 |
675 p = b->pos; | 679 p = b->pos; |
676 | 680 |
677 while (p < b->last) { | 681 while (p < b->last) { |
678 | 682 |
734 b->pos = pkt.data + pkt.len; | 738 b->pos = pkt.data + pkt.len; |
735 | 739 |
736 p = b->pos; | 740 p = b->pos; |
737 } | 741 } |
738 | 742 |
739 return good ? NGX_OK : NGX_DECLINED; | 743 if (!good) { |
744 return NGX_DECLINED; | |
745 } | |
746 | |
747 qc = ngx_quic_get_connection(c); | |
748 | |
749 if (qc) { | |
750 qc->received += size; | |
751 | |
752 if ((uint64_t) (c->sent + qc->received) / 8 > | |
753 (qc->streams.sent + qc->streams.recv_last) + 1048576) | |
754 { | |
755 ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic flood detected"); | |
756 | |
757 qc->error = NGX_QUIC_ERR_NO_ERROR; | |
758 qc->error_reason = "QUIC flood detected"; | |
759 return NGX_ERROR; | |
760 } | |
761 } | |
762 | |
763 return NGX_OK; | |
740 } | 764 } |
741 | 765 |
742 | 766 |
743 static ngx_int_t | 767 static ngx_int_t |
744 ngx_quic_process_packet(ngx_connection_t *c, ngx_quic_conf_t *conf, | 768 ngx_quic_process_packet(ngx_connection_t *c, ngx_quic_conf_t *conf, |