Mercurial > hg > nginx
comparison src/http/v3/ngx_http_v3.c @ 8881:72b304f6207c quic
HTTP/3: traffic-based flood detection.
With this patch, all traffic over HTTP/3 bidi and uni streams is counted in
the h3c->total_bytes field, and payload traffic is counted in the
h3c->payload_bytes field. As long as total traffic is many times larger than
payload traffic, we consider this to be a flood.
Request header traffic is counted as if all fields are literal. Response
header traffic is counted as is.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Thu, 07 Oct 2021 13:22:42 +0300 |
parents | 1fec68e322d0 |
children | 925572184d4a |
comparison
equal
deleted
inserted
replaced
8880:a09bcc304eef | 8881:72b304f6207c |
---|---|
84 | 84 |
85 if (h3c->keepalive.timer_set) { | 85 if (h3c->keepalive.timer_set) { |
86 ngx_del_timer(&h3c->keepalive); | 86 ngx_del_timer(&h3c->keepalive); |
87 } | 87 } |
88 } | 88 } |
89 | |
90 | |
91 ngx_int_t | |
92 ngx_http_v3_check_flood(ngx_connection_t *c) | |
93 { | |
94 ngx_http_v3_session_t *h3c; | |
95 | |
96 h3c = ngx_http_v3_get_session(c); | |
97 | |
98 if (h3c->total_bytes / 8 > h3c->payload_bytes + 1048576) { | |
99 ngx_log_error(NGX_LOG_INFO, c->log, 0, "http3 flood detected"); | |
100 | |
101 ngx_http_v3_finalize_connection(c, NGX_HTTP_V3_ERR_NO_ERROR, | |
102 "HTTP/3 flood detected"); | |
103 return NGX_ERROR; | |
104 } | |
105 | |
106 return NGX_OK; | |
107 } |