forked from I2P_Developers/i2p.i2p
SSU: Temporarily ban ip/port after inbound handshake failure
This commit is contained in:
zzz
@@ -113,6 +113,12 @@ class EstablishmentManager {
|
|||||||
*/
|
*/
|
||||||
private final ConcurrentHashMap<Hash, OutboundEstablishState> _outboundByHash;
|
private final ConcurrentHashMap<Hash, OutboundEstablishState> _outboundByHash;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Temporary inbound bans after previous IB failure, to prevent excessive DH.
|
||||||
|
* SSU 1 or 2. Value is expiration time.
|
||||||
|
*/
|
||||||
|
private final Map<RemoteHostId, Long> _inboundBans;
|
||||||
|
|
||||||
private volatile boolean _alive;
|
private volatile boolean _alive;
|
||||||
private final Object _activityLock;
|
private final Object _activityLock;
|
||||||
private int _activity;
|
private int _activity;
|
||||||
@@ -158,6 +164,8 @@ class EstablishmentManager {
|
|||||||
/** for the DSM and or netdb store */
|
/** for the DSM and or netdb store */
|
||||||
private static final int DATA_MESSAGE_TIMEOUT = 10*1000;
|
private static final int DATA_MESSAGE_TIMEOUT = 10*1000;
|
||||||
|
|
||||||
|
private static final int IB_BAN_TIME = 15*60*1000;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Java I2P has always parsed the length of the extended options field,
|
* Java I2P has always parsed the length of the extended options field,
|
||||||
* but i2pd hasn't recognized it until this release.
|
* but i2pd hasn't recognized it until this release.
|
||||||
@@ -188,6 +196,7 @@ class EstablishmentManager {
|
|||||||
_liveIntroductions = new ConcurrentHashMap<Long, OutboundEstablishState>();
|
_liveIntroductions = new ConcurrentHashMap<Long, OutboundEstablishState>();
|
||||||
_outboundByClaimedAddress = new ConcurrentHashMap<RemoteHostId, OutboundEstablishState>();
|
_outboundByClaimedAddress = new ConcurrentHashMap<RemoteHostId, OutboundEstablishState>();
|
||||||
_outboundByHash = new ConcurrentHashMap<Hash, OutboundEstablishState>();
|
_outboundByHash = new ConcurrentHashMap<Hash, OutboundEstablishState>();
|
||||||
|
_inboundBans = new LHMCache<RemoteHostId, Long>(32);
|
||||||
if (_enableSSU2) {
|
if (_enableSSU2) {
|
||||||
_inboundTokens = new LHMCache<RemoteHostId, Token>(MAX_TOKENS);
|
_inboundTokens = new LHMCache<RemoteHostId, Token>(MAX_TOKENS);
|
||||||
_outboundTokens = new LHMCache<RemoteHostId, Token>(MAX_TOKENS);
|
_outboundTokens = new LHMCache<RemoteHostId, Token>(MAX_TOKENS);
|
||||||
@@ -593,6 +602,19 @@ class EstablishmentManager {
|
|||||||
_context.statManager().addRateData("udp.establishBadIP", 1);
|
_context.statManager().addRateData("udp.establishBadIP", 1);
|
||||||
return; // drop the packet
|
return; // drop the packet
|
||||||
}
|
}
|
||||||
|
synchronized (_inboundBans) {
|
||||||
|
Long exp = _inboundBans.get(from);
|
||||||
|
if (exp != null) {
|
||||||
|
if (exp.longValue() >= _context.clock().now()) {
|
||||||
|
if (_log.shouldInfo())
|
||||||
|
_log.info("SSU 1 session request from temp. blocked peer: " + from);
|
||||||
|
_context.statManager().addRateData("udp.establishBadIP", 1);
|
||||||
|
return; // drop the packet
|
||||||
|
}
|
||||||
|
// expired
|
||||||
|
_inboundBans.remove(from);
|
||||||
|
}
|
||||||
|
}
|
||||||
if (!_transport.allowConnection())
|
if (!_transport.allowConnection())
|
||||||
return; // drop the packet
|
return; // drop the packet
|
||||||
byte[] fromIP = from.getIP();
|
byte[] fromIP = from.getIP();
|
||||||
@@ -669,6 +691,19 @@ class EstablishmentManager {
|
|||||||
_context.statManager().addRateData("udp.establishBadIP", 1);
|
_context.statManager().addRateData("udp.establishBadIP", 1);
|
||||||
return; // drop the packet
|
return; // drop the packet
|
||||||
}
|
}
|
||||||
|
synchronized (_inboundBans) {
|
||||||
|
Long exp = _inboundBans.get(from);
|
||||||
|
if (exp != null) {
|
||||||
|
if (exp.longValue() >= _context.clock().now()) {
|
||||||
|
if (_log.shouldInfo())
|
||||||
|
_log.info("SSU 2 session request from temp. blocked peer: " + from);
|
||||||
|
_context.statManager().addRateData("udp.establishBadIP", 1);
|
||||||
|
return; // drop the packet
|
||||||
|
}
|
||||||
|
// expired
|
||||||
|
_inboundBans.remove(from);
|
||||||
|
}
|
||||||
|
}
|
||||||
if (!_transport.allowConnection())
|
if (!_transport.allowConnection())
|
||||||
return; // drop the packet
|
return; // drop the packet
|
||||||
try {
|
try {
|
||||||
@@ -2479,7 +2514,12 @@ class EstablishmentManager {
|
|||||||
private void processExpired(InboundEstablishState inboundState) {
|
private void processExpired(InboundEstablishState inboundState) {
|
||||||
if (_log.shouldWarn())
|
if (_log.shouldWarn())
|
||||||
_log.warn("Expired: " + inboundState);
|
_log.warn("Expired: " + inboundState);
|
||||||
_inboundStates.remove(inboundState.getRemoteHostId());
|
RemoteHostId id = inboundState.getRemoteHostId();
|
||||||
|
_inboundStates.remove(id);
|
||||||
|
Long exp = Long.valueOf(_context.clock().now() + IB_BAN_TIME);
|
||||||
|
synchronized (_inboundBans) {
|
||||||
|
_inboundBans.put(id, exp);
|
||||||
|
}
|
||||||
OutNetMessage msg;
|
OutNetMessage msg;
|
||||||
while ((msg = inboundState.getNextQueuedMessage()) != null) {
|
while ((msg = inboundState.getNextQueuedMessage()) != null) {
|
||||||
_transport.failed(msg, "Expired during failed establish");
|
_transport.failed(msg, "Expired during failed establish");
|
||||||
|
|||||||
Reference in New Issue
Block a user