Welcome! Log In Create A New Profile

Re: [PATCH 4 of 5] QUIC: traffic-based flood detection

Forum List Message List New Topic Print View

Roman Arutyunyan

October 13, 2021 07:42AM

On Tue, Oct 12, 2021 at 03:39:38PM +0300, Vladimir Homutov wrote:
> On Thu, Oct 07, 2021 at 02:36:17PM +0300, Roman Arutyunyan wrote:
> > # HG changeset patch
> > # User Roman Arutyunyan <arut@nginx.com>
> > # Date 1633602816 -10800
> > # Thu Oct 07 13:33:36 2021 +0300
> > # Branch quic
> > # Node ID e20f00b8ac9005621993ea19375b1646c9182e7b
> > # Parent 31561ac584b74d29af9a442afca47821a98217b2
> > QUIC: traffic-based flood detection.
> >
> > With this patch, all traffic over a QUIC connection is compared to traffic
> > over QUIC streams. As long as total traffic is many times larger than stream
> > traffic, we consider this to be a flood.
> >
> > diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c
> > --- a/src/event/quic/ngx_event_quic.c
> > +++ b/src/event/quic/ngx_event_quic.c
> > @@ -662,13 +662,17 @@ ngx_quic_close_timer_handler(ngx_event_t
> > static ngx_int_t
> > ngx_quic_input(ngx_connection_t *c, ngx_buf_t *b, ngx_quic_conf_t *conf)
> > {
> > - u_char *p;
> > - ngx_int_t rc;
> > - ngx_uint_t good;
> > - ngx_quic_header_t pkt;
> > + size_t size;
> > + u_char *p;
> > + ngx_int_t rc;
> > + ngx_uint_t good;
> > + ngx_quic_header_t pkt;
> > + ngx_quic_connection_t *qc;
> >
> > good = 0;
> >
> > + size = b->last - b->pos;
> > +
> > p = b->pos;
> >
> > while (p < b->last) {
> > @@ -701,7 +705,8 @@ ngx_quic_input(ngx_connection_t *c, ngx_
> >
> > if (rc == NGX_DONE) {
> > /* stop further processing */
> > - return NGX_DECLINED;
> > + good = 0;
> > + break;
> > }
>
> this chunk looks unnecessary: we will test 'good' after the loop and
> return NGX_DECLINED anyway in this case (good = 0).

Sure, thanks. Removed this one.

> > if (rc == NGX_OK) {
> > @@ -733,7 +738,27 @@ ngx_quic_input(ngx_connection_t *c, ngx_
> > p = b->pos;
> > }
> >
> > - return good ? NGX_OK : NGX_DECLINED;
> > + if (!good) {
> > + return NGX_DECLINED;
> > + }
> > +
> > + qc = ngx_quic_get_connection(c);
> > +
> > + if (qc) {
> > + qc->received += size;
> > +
> > + if ((uint64_t) (c->sent + qc->received) / 8 >
> > + (qc->streams.sent + qc->streams.recv_last) + 1048576)
> > + {
>
> note: the comparison is intentionally similar to one used HTTP/2 for the
> same purposes
>
> > + ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic flood detected");
> > +
> > + qc->error = NGX_QUIC_ERR_NO_ERROR;
> > + qc->error_reason = "QUIC flood detected";
> > + return NGX_ERROR;
> > + }
> > + }
> > +
> > + return NGX_OK;
> > }
> >
> >
> > diff --git a/src/event/quic/ngx_event_quic_connection.h b/src/event/quic/ngx_event_quic_connection.h
> > --- a/src/event/quic/ngx_event_quic_connection.h
> > +++ b/src/event/quic/ngx_event_quic_connection.h
> > @@ -236,6 +236,8 @@ struct ngx_quic_connection_s {
> > ngx_quic_streams_t streams;
> > ngx_quic_congestion_t congestion;
> >
> > + off_t received;
> > +
> > ngx_uint_t error;
> > enum ssl_encryption_level_t error_level;
> > ngx_uint_t error_ftype;
>
> As a whole, it seems to be working good enough.
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

--
Roman Arutyunyan
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH 0 of 5] QUIC flood detection	Roman Arutyunyan	358	October 07, 2021 07:38AM
[PATCH 1 of 5] HTTP/3: removed client-side encoder support	Roman Arutyunyan	105	October 07, 2021 07:38AM
Re: [PATCH 1 of 5] HTTP/3: removed client-side encoder support	Vladimir Homutov	84	October 12, 2021 08:46AM
[PATCH 2 of 5] HTTP/3: fixed request length calculation	Roman Arutyunyan	126	October 07, 2021 07:38AM
Re: [PATCH 2 of 5] HTTP/3: fixed request length calculation	Vladimir Homutov	110	October 12, 2021 08:48AM
[PATCH 3 of 5] HTTP/3: traffic-based flood detection	Roman Arutyunyan	135	October 07, 2021 07:38AM
Re: [PATCH 3 of 5] HTTP/3: traffic-based flood detection	Vladimir Homutov	109	October 13, 2021 05:08AM
Re: [PATCH 3 of 5] HTTP/3: traffic-based flood detection	Roman Arutyunyan	106	October 13, 2021 07:38AM
[PATCH 4 of 5] QUIC: traffic-based flood detection	Roman Arutyunyan	182	October 07, 2021 07:38AM
Re: [PATCH 4 of 5] QUIC: traffic-based flood detection	Vladimir Homutov	212	October 12, 2021 08:40AM
Re: [PATCH 4 of 5] QUIC: traffic-based flood detection	Roman Arutyunyan	98	October 13, 2021 07:42AM
[PATCH 5 of 5] QUIC: limited the total number of frames	Roman Arutyunyan	100	October 07, 2021 07:38AM
Re: [PATCH 5 of 5] QUIC: limited the total number of frames	Vladimir Homutov	92	October 12, 2021 08:44AM
Re: [PATCH 5 of 5] QUIC: limited the total number of frames	Roman Arutyunyan	146	October 13, 2021 07:54AM
Re: [PATCH 0 of 5] QUIC flood detection	Roman Arutyunyan	224	October 07, 2021 07:46AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 291

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018