On Tue, Oct 12, 2021 at 03:39:38PM +0300, Vladimir Homutov wrote: > On Thu, Oct 07, 2021 at 02:36:17PM +0300, Roman Arutyunyan wrote: > > # HG changeset patch > > # User Roman Arutyunyan <a...@nginx.com> > > # Date 1633602816 -10800 > > # Thu Oct 07 13:33:36 2021 +0300 > > # Branch quic > > # Node ID e20f00b8ac9005621993ea19375b1646c9182e7b > > # Parent 31561ac584b74d29af9a442afca47821a98217b2 > > QUIC: traffic-based flood detection. > > > > With this patch, all traffic over a QUIC connection is compared to traffic > > over QUIC streams. As long as total traffic is many times larger than > > stream > > traffic, we consider this to be a flood. > > > > diff --git a/src/event/quic/ngx_event_quic.c > > b/src/event/quic/ngx_event_quic.c > > --- a/src/event/quic/ngx_event_quic.c > > +++ b/src/event/quic/ngx_event_quic.c > > @@ -662,13 +662,17 @@ ngx_quic_close_timer_handler(ngx_event_t > > static ngx_int_t > > ngx_quic_input(ngx_connection_t *c, ngx_buf_t *b, ngx_quic_conf_t *conf) > > { > > - u_char *p; > > - ngx_int_t rc; > > - ngx_uint_t good; > > - ngx_quic_header_t pkt; > > + size_t size; > > + u_char *p; > > + ngx_int_t rc; > > + ngx_uint_t good; > > + ngx_quic_header_t pkt; > > + ngx_quic_connection_t *qc; > > > > good = 0; > > > > + size = b->last - b->pos; > > + > > p = b->pos; > > > > while (p < b->last) { > > @@ -701,7 +705,8 @@ ngx_quic_input(ngx_connection_t *c, ngx_ > > > > if (rc == NGX_DONE) { > > /* stop further processing */ > > - return NGX_DECLINED; > > + good = 0; > > + break; > > } > > this chunk looks unnecessary: we will test 'good' after the loop and > return NGX_DECLINED anyway in this case (good = 0).
Sure, thanks. Removed this one. > > if (rc == NGX_OK) { > > @@ -733,7 +738,27 @@ ngx_quic_input(ngx_connection_t *c, ngx_ > > p = b->pos; > > } > > > > - return good ? NGX_OK : NGX_DECLINED; > > + if (!good) { > > + return NGX_DECLINED; > > + } > > + > > + qc = ngx_quic_get_connection(c); > > + > > + if (qc) { > > + qc->received += size; > > + > > + if ((uint64_t) (c->sent + qc->received) / 8 > > > + (qc->streams.sent + qc->streams.recv_last) + 1048576) > > + { > > note: the comparison is intentionally similar to one used HTTP/2 for the > same purposes > > > + ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic flood detected"); > > + > > + qc->error = NGX_QUIC_ERR_NO_ERROR; > > + qc->error_reason = "QUIC flood detected"; > > + return NGX_ERROR; > > + } > > + } > > + > > + return NGX_OK; > > } > > > > > > diff --git a/src/event/quic/ngx_event_quic_connection.h > > b/src/event/quic/ngx_event_quic_connection.h > > --- a/src/event/quic/ngx_event_quic_connection.h > > +++ b/src/event/quic/ngx_event_quic_connection.h > > @@ -236,6 +236,8 @@ struct ngx_quic_connection_s { > > ngx_quic_streams_t streams; > > ngx_quic_congestion_t congestion; > > > > + off_t received; > > + > > ngx_uint_t error; > > enum ssl_encryption_level_t error_level; > > ngx_uint_t error_ftype; > > As a whole, it seems to be working good enough. > _______________________________________________ > nginx-devel mailing list > nginx-devel@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel -- Roman Arutyunyan _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel