X-Git-Url: https://www.tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fnet_socket.c;h=ded9224d48dd720bfd11ccb7e9c6f334da0d8060;hb=54127996ca4156668b6c7df3bb5d8f952dc598ad;hp=5332ed20326702c8de68bf6ce22b6df2ea560924;hpb=4c30004cb6dc23616d7295b0ce631f066e7f1f82;p=tinc diff --git a/src/net_socket.c b/src/net_socket.c index 5332ed20..ded9224d 100644 --- a/src/net_socket.c +++ b/src/net_socket.c @@ -45,6 +45,7 @@ int maxtimeout = 900; int seconds_till_retry = 5; int udp_rcvbuf = 0; int udp_sndbuf = 0; +int max_connection_burst = 100; listen_socket_t listen_socket[MAXSOCKETS]; int listen_sockets; @@ -561,6 +562,47 @@ void handle_new_meta_connection(void *data, int flags) { sockaddrunmap(&sa); + // Check if we get many connections from the same host + + static sockaddr_t prev_sa; + static time_t prev_time; + static int tarpit = -1; + + if(tarpit >= 0) { + closesocket(tarpit); + tarpit = -1; + } + + if(prev_time == now.tv_sec && !sockaddrcmp_noport(&sa, &prev_sa)) { + // if so, keep the connection open but ignore it completely. + tarpit = fd; + return; + } + + memcpy(&prev_sa, &sa, sizeof sa); + prev_time = now.tv_sec; + + // Check if we get many connections from different hosts + + static int connection_burst; + static int connection_burst_time; + + if(now.tv_sec - connection_burst_time > connection_burst) + connection_burst = 0; + else + connection_burst -= now.tv_sec - connection_burst_time; + + connection_burst_time = now.tv_sec; + connection_burst++; + + if(connection_burst >= max_connection_burst) { + connection_burst = max_connection_burst; + tarpit = fd; + return; + } + + // Accept the new connection + c = new_connection(); c->name = xstrdup(""); c->outcipher = myself->connection->outcipher; @@ -674,7 +716,7 @@ void try_outgoing_connections(void) { } if(!found) { - outgoing_t *outgoing = xmalloc_and_zero(sizeof *outgoing); + outgoing_t *outgoing = xzalloc(sizeof *outgoing); outgoing->name = name; list_insert_tail(outgoing_list, outgoing); setup_outgoing_connection(outgoing);