Add rate limit on receive of DIRECT_PATH_PUSH to prevent DOS exploitation.

author: Adam Ierymenko <adam.ierymenko@gmail.com> 2015-10-16 10:28:09 -0700
committer: Adam Ierymenko <adam.ierymenko@gmail.com> 2015-10-16 10:28:09 -0700
commit: 5ce3aac929ef217f3e813b5bc948dd28d021835f (patch)
tree: aa579f458354bdd376d43c62e291ba697bfe8444 /node/IncomingPacket.cpp
parent: 2229e91b57676c1218b550749a2108372e0f37ad (diff)
download: infinitytier-5ce3aac929ef217f3e813b5bc948dd28d021835f.tar.gz
infinitytier-5ce3aac929ef217f3e813b5bc948dd28d021835f.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp
index d444258d..4386e370 100644
--- a/node/IncomingPacket.cpp
+++ b/node/IncomingPacket.cpp
@@ -861,6 +861,13 @@ bool IncomingPacket::_doMULTICAST_FRAME(const RuntimeEnvironment *RR,const Share
 bool IncomingPacket::_doPUSH_DIRECT_PATHS(const RuntimeEnvironment *RR,const SharedPtr<Peer> &peer)
 {
 	try {
+		const uint64_t now = RR->node->now();
+		if ((now - peer->lastDirectPathPushReceived()) >= ZT_DIRECT_PATH_PUSH_MIN_RECEIVE_INTERVAL) {
+			TRACE("dropped PUSH_DIRECT_PATHS from %s(%s): too frequent!",source().toString().c_str(),_remoteAddress.toString().c_str());
+			return true;
+		}
+		peer->setLastDirectPathPushReceived(now);
+
 		unsigned int count = at<uint16_t>(ZT_PACKET_IDX_PAYLOAD);
 		unsigned int ptr = ZT_PACKET_IDX_PAYLOAD + 2;
 		unsigned int v4Count = 0,v6Count = 0;
author	Adam Ierymenko <adam.ierymenko@gmail.com>	2015-10-16 10:28:09 -0700
committer	Adam Ierymenko <adam.ierymenko@gmail.com>	2015-10-16 10:28:09 -0700
commit	5ce3aac929ef217f3e813b5bc948dd28d021835f (patch)
tree	aa579f458354bdd376d43c62e291ba697bfe8444 /node/IncomingPacket.cpp
parent	2229e91b57676c1218b550749a2108372e0f37ad (diff)
download	infinitytier-5ce3aac929ef217f3e813b5bc948dd28d021835f.tar.gz infinitytier-5ce3aac929ef217f3e813b5bc948dd28d021835f.zip