Mercurial > hg > nginx
comparison src/http/v3/ngx_http_v3.c @ 8881:72b304f6207c quic
HTTP/3: traffic-based flood detection.
With this patch, all traffic over HTTP/3 bidi and uni streams is counted in
the h3c->total_bytes field, and payload traffic is counted in the
h3c->payload_bytes field. As long as total traffic is many times larger than
payload traffic, we consider this to be a flood.
Request header traffic is counted as if all fields are literal. Response
header traffic is counted as is.
| author | Roman Arutyunyan <arut@nginx.com> |
|---|---|
| date | Thu, 07 Oct 2021 13:22:42 +0300 |
| parents | 1fec68e322d0 |
| children | 925572184d4a |
comparison
equal
deleted
inserted
replaced
| 8880:a09bcc304eef | 8881:72b304f6207c |
|---|---|
| 84 | 84 |
| 85 if (h3c->keepalive.timer_set) { | 85 if (h3c->keepalive.timer_set) { |
| 86 ngx_del_timer(&h3c->keepalive); | 86 ngx_del_timer(&h3c->keepalive); |
| 87 } | 87 } |
| 88 } | 88 } |
| 89 | |
| 90 | |
| 91 ngx_int_t | |
| 92 ngx_http_v3_check_flood(ngx_connection_t *c) | |
| 93 { | |
| 94 ngx_http_v3_session_t *h3c; | |
| 95 | |
| 96 h3c = ngx_http_v3_get_session(c); | |
| 97 | |
| 98 if (h3c->total_bytes / 8 > h3c->payload_bytes + 1048576) { | |
| 99 ngx_log_error(NGX_LOG_INFO, c->log, 0, "http3 flood detected"); | |
| 100 | |
| 101 ngx_http_v3_finalize_connection(c, NGX_HTTP_V3_ERR_NO_ERROR, | |
| 102 "HTTP/3 flood detected"); | |
| 103 return NGX_ERROR; | |
| 104 } | |
| 105 | |
| 106 return NGX_OK; | |
| 107 } |