Welcome! Log In Create A New Profile

Re: [PATCH 4 of 5] QUIC: traffic-based flood detection

Forum List Message List New Topic Print View

Vladimir Homutov

October 12, 2021 08:40AM

On Thu, Oct 07, 2021 at 02:36:17PM +0300, Roman Arutyunyan wrote:
> # HG changeset patch
> # User Roman Arutyunyan <arut@nginx.com>
> # Date 1633602816 -10800
> # Thu Oct 07 13:33:36 2021 +0300
> # Branch quic
> # Node ID e20f00b8ac9005621993ea19375b1646c9182e7b
> # Parent 31561ac584b74d29af9a442afca47821a98217b2
> QUIC: traffic-based flood detection.
>
> With this patch, all traffic over a QUIC connection is compared to traffic
> over QUIC streams. As long as total traffic is many times larger than stream
> traffic, we consider this to be a flood.
>
> diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c
> --- a/src/event/quic/ngx_event_quic.c
> +++ b/src/event/quic/ngx_event_quic.c
> @@ -662,13 +662,17 @@ ngx_quic_close_timer_handler(ngx_event_t
> static ngx_int_t
> ngx_quic_input(ngx_connection_t *c, ngx_buf_t *b, ngx_quic_conf_t *conf)
> {
> - u_char *p;
> - ngx_int_t rc;
> - ngx_uint_t good;
> - ngx_quic_header_t pkt;
> + size_t size;
> + u_char *p;
> + ngx_int_t rc;
> + ngx_uint_t good;
> + ngx_quic_header_t pkt;
> + ngx_quic_connection_t *qc;
>
> good = 0;
>
> + size = b->last - b->pos;
> +
> p = b->pos;
>
> while (p < b->last) {
> @@ -701,7 +705,8 @@ ngx_quic_input(ngx_connection_t *c, ngx_
>
> if (rc == NGX_DONE) {
> /* stop further processing */
> - return NGX_DECLINED;
> + good = 0;
> + break;
> }

this chunk looks unnecessary: we will test 'good' after the loop and
return NGX_DECLINED anyway in this case (good = 0).

>
> if (rc == NGX_OK) {
> @@ -733,7 +738,27 @@ ngx_quic_input(ngx_connection_t *c, ngx_
> p = b->pos;
> }
>
> - return good ? NGX_OK : NGX_DECLINED;
> + if (!good) {
> + return NGX_DECLINED;
> + }
> +
> + qc = ngx_quic_get_connection(c);
> +
> + if (qc) {
> + qc->received += size;
> +
> + if ((uint64_t) (c->sent + qc->received) / 8 >
> + (qc->streams.sent + qc->streams.recv_last) + 1048576)
> + {

note: the comparison is intentionally similar to one used HTTP/2 for the
same purposes

> + ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic flood detected");
> +
> + qc->error = NGX_QUIC_ERR_NO_ERROR;
> + qc->error_reason = "QUIC flood detected";
> + return NGX_ERROR;
> + }
> + }
> +
> + return NGX_OK;
> }
>
>
> diff --git a/src/event/quic/ngx_event_quic_connection.h b/src/event/quic/ngx_event_quic_connection.h
> --- a/src/event/quic/ngx_event_quic_connection.h
> +++ b/src/event/quic/ngx_event_quic_connection.h
> @@ -236,6 +236,8 @@ struct ngx_quic_connection_s {
> ngx_quic_streams_t streams;
> ngx_quic_congestion_t congestion;
>
> + off_t received;
> +
> ngx_uint_t error;
> enum ssl_encryption_level_t error_level;
> ngx_uint_t error_ftype;

As a whole, it seems to be working good enough.
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH 0 of 5] QUIC flood detection	Roman Arutyunyan	358	October 07, 2021 07:38AM
[PATCH 1 of 5] HTTP/3: removed client-side encoder support	Roman Arutyunyan	106	October 07, 2021 07:38AM
Re: [PATCH 1 of 5] HTTP/3: removed client-side encoder support	Vladimir Homutov	84	October 12, 2021 08:46AM
[PATCH 2 of 5] HTTP/3: fixed request length calculation	Roman Arutyunyan	126	October 07, 2021 07:38AM
Re: [PATCH 2 of 5] HTTP/3: fixed request length calculation	Vladimir Homutov	110	October 12, 2021 08:48AM
[PATCH 3 of 5] HTTP/3: traffic-based flood detection	Roman Arutyunyan	135	October 07, 2021 07:38AM
Re: [PATCH 3 of 5] HTTP/3: traffic-based flood detection	Vladimir Homutov	109	October 13, 2021 05:08AM
Re: [PATCH 3 of 5] HTTP/3: traffic-based flood detection	Roman Arutyunyan	106	October 13, 2021 07:38AM
[PATCH 4 of 5] QUIC: traffic-based flood detection	Roman Arutyunyan	182	October 07, 2021 07:38AM
Re: [PATCH 4 of 5] QUIC: traffic-based flood detection	Vladimir Homutov	212	October 12, 2021 08:40AM
Re: [PATCH 4 of 5] QUIC: traffic-based flood detection	Roman Arutyunyan	100	October 13, 2021 07:42AM
[PATCH 5 of 5] QUIC: limited the total number of frames	Roman Arutyunyan	100	October 07, 2021 07:38AM
Re: [PATCH 5 of 5] QUIC: limited the total number of frames	Vladimir Homutov	92	October 12, 2021 08:44AM
Re: [PATCH 5 of 5] QUIC: limited the total number of frames	Roman Arutyunyan	146	October 13, 2021 07:54AM
Re: [PATCH 0 of 5] QUIC flood detection	Roman Arutyunyan	225	October 07, 2021 07:46AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 249

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018