Skip to content

Add SYN rate limiting mechanism

As @trinity-1686a noted in https://gitlab.torproject.org/tpo/core/onionmasq/-/issues/147 a rate limiting mechanism for SYNs could make sense because a single application creating hundreds of connection could easily block everything else and/or cause memory exhaustion.

Right now, we allocate a bunch of things, and run all in ArtiProxy::start(), which isn't cheap, but also is exactly what we'd have done on a valid SYN. There might be something odd happening if we receive multiple SYNs for the same 5-tuple, though it seems like this would most likely do nothing more than killing the connection, by causing a tcp-sequence missmatch which smoltcp should end up RSTing.

Having some SYN flooding resilience would help a bit to protect against misbehaving apps.

In https://gitlab.torproject.org/tpo/core/onionmasq/-/issues/147

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information