archive
/
csgo
mirror of https://github.com/sr2echa/CSGO-Source-Code
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Counter Strike : Global Offensive Source Code
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
504 MiB
Tree: 9cd9f42570
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9cd9f42570'
${ noResults }
csgo/cstrike15_src/engine/sv_ipratelimit.cpp

243 lines
8.4 KiB
Raw Normal View History

added some files
5 years ago
  1. //========= Copyright � 1996-2005, Valve Corporation, All rights reserved. ============//
  2. //
  3. // Purpose: Handles all the functions for implementing remote access to the engine
  4. //
  5. //=============================================================================//
  7. #include "netadr.h"
  8. #include "sv_ipratelimit.h"
  9. #include "convar.h"
  10. #include "utlrbtree.h"
  11. #include "utlvector.h"
  12. #include "utlmap.h"
  13. #include "../gcsdk/steamextra/tier1/utlhashmaplarge.h"
  14. #include "filesystem.h"
  15. #include "sv_log.h"
  16. #include "tier1/ns_address.h"
  18. // NOTE: This has to be the last file included!
  19. #include "tier0/memdbgon.h"
  22. static ConVar sv_max_queries_sec( "sv_max_queries_sec", "10.0", FCVAR_RELEASE, "Maximum queries per second to respond to from a single IP address." );
  23. static ConVar sv_max_queries_window( "sv_max_queries_window", "30", FCVAR_RELEASE, "Window over which to average queries per second averages." );
  24. static ConVar sv_max_queries_tracked_ips_max( "sv_max_queries_tracked_ips_max", "50000", FCVAR_RELEASE, "Window over which to average queries per second averages." );
  25. static ConVar sv_max_queries_tracked_ips_prune( "sv_max_queries_tracked_ips_prune", "10", FCVAR_RELEASE, "Window over which to average queries per second averages." );
  26. static ConVar sv_max_queries_sec_global( "sv_max_queries_sec_global", "500", FCVAR_RELEASE, "Maximum queries per second to respond to from anywhere." );
  27. static ConVar sv_logblocks("sv_logblocks", "0", FCVAR_RELEASE, "If true when log when a query is blocked (can cause very large log files)");
  29. class CIPRateLimit
  30. {
  31. public:
  32. CIPRateLimit();
  33. ~CIPRateLimit();
  35. // updates an ip entry, return true if the ip is allowed, false otherwise
  36. bool CheckIP( netadr_t ip );
  38. void Reset()
  39. {
  40. m_IPTimes.RemoveAll();
  41. m_IPStorage.RemoveAll();
  42. m_iGlobalCount = 0;
  43. m_lLastTime = -1;
  44. m_lLastDistributedDetection = -1;
  45. m_lLastPersonalDetection = -1;
  46. }
  48. private:
  49. typedef int ip_t;
  50. struct iprate_val
  51. {
  52. long lastTime;
  53. int count;
  54. int32 idxiptime;
  55. };
  56. struct IpHashNoopFunctor
  57. {
  58. typedef uint32 TargetType;
  59. TargetType operator()( const ip_t &key ) const
  60. {
  61. return key;
  62. }
  63. };
  65. typedef CUtlHashMapLarge< ip_t, iprate_val, CDefEquals< ip_t >, IpHashNoopFunctor > IPStorage_t;
  66. IPStorage_t m_IPStorage;
  68. typedef CUtlMap< long, ip_t, int32, CDefLess< long > > IPTimes_t;
  69. IPTimes_t m_IPTimes;
  71. int m_iGlobalCount;
  72. long m_lLastTime;
  73. long m_lLastDistributedDetection;
  74. long m_lLastPersonalDetection;
  75. };
  77. static CIPRateLimit rateChecker;
  79. //-----------------------------------------------------------------------------
  80. // Purpose: return false if this IP exceeds rate limits
  81. //-----------------------------------------------------------------------------
  82. bool CheckConnectionLessRateLimits( const ns_address &adr )
  83. {
  84. if ( !adr.IsType< netadr_t >() )
  85. return true;
  87. // This function can be called from socket thread, mutex around it
  88. static CThreadMutex s_mtx;
  89. AUTO_LOCK( s_mtx );
  91. bool ret = rateChecker.CheckIP( adr.AsType<netadr_t>() );
  92. if ( !ret && sv_logblocks.GetBool() == true )
  93. {
  94. g_Log.Printf("Traffic from %s was blocked for exceeding rate limits\n", ns_address_render( adr ).String() );
  95. }
  96. return ret;
  97. }
  99. //-----------------------------------------------------------------------------
  100. // Purpose: Constructor
  101. //-----------------------------------------------------------------------------
  102. CIPRateLimit::CIPRateLimit()
  103. {
  104. m_iGlobalCount = 0;
  105. m_lLastTime = -1;
  106. m_lLastDistributedDetection = -1;
  107. m_lLastPersonalDetection = -1;
  108. }
  110. //-----------------------------------------------------------------------------
  111. // Purpose: Destructor
  112. //-----------------------------------------------------------------------------
  113. CIPRateLimit::~CIPRateLimit()
  114. {
  115. }
  117. //-----------------------------------------------------------------------------
  118. // Purpose: return false if this IP has exceeded limits
  119. //-----------------------------------------------------------------------------
  120. bool CIPRateLimit::CheckIP( netadr_t adr )
  121. {
  122. long curTime = (long)Plat_FloatTime();
  124. // check the per ip rate (do this first, so one person dosing doesn't add to the global max rate
  125. ip_t clientIP;
  126. memcpy( &clientIP, adr.ip, sizeof(ip_t) );
  128. int const MAX_TREE_SIZE = sv_max_queries_tracked_ips_max.GetInt();
  129. int const MAX_TREE_PRUNE = sv_max_queries_tracked_ips_prune.GetInt();
  131. // Prune some elements from the tree
  132. int numPruned = 0;
  133. for ( int32 itIPTime = m_IPTimes.FirstInorder(); ( itIPTime != m_IPTimes.InvalidIndex() ); )
  134. {
  135. int32 itIPTimeNext = m_IPTimes.NextInorder( itIPTime );
  136. ip_t ipTracked = m_IPTimes.Element( itIPTime );
  137. if ( ipTracked != clientIP )
  138. {
  139. if ( ( curTime - m_IPTimes.Key( itIPTime ) ) < sv_max_queries_window.GetFloat() )
  140. break; // need to still keep monitoring this IP address, time is in order so next ones are even more recent
  142. m_IPStorage.Remove( ipTracked );
  143. m_IPTimes.RemoveAt( itIPTime );
  144. ++ numPruned;
  145. if ( ( numPruned >= MAX_TREE_PRUNE ) && ( m_IPStorage.Count() < MAX_TREE_SIZE ) )
  146. break;
  147. }
  148. itIPTime = itIPTimeNext;
  149. }
  151. if ( m_IPStorage.Count() > MAX_TREE_SIZE )
  152. {
  153. // This looks like we are under distributed attack where we are seeing a
  154. // very large number of IP addresses in a short time period
  155. // Stop tracking individual IP addresses and turn on global rate limit
  156. Msg( "IP rate limit detected distributed packet load (%u buckets, %u global count).\n", m_IPStorage.Count(), m_iGlobalCount );
  157. Reset();
  158. m_iGlobalCount = MAX( 1, ( sv_max_queries_sec_global.GetFloat() + 1 ) * ( sv_max_queries_window.GetFloat() + 1 ) );
  159. m_lLastTime = curTime;
  160. m_lLastDistributedDetection = curTime;
  161. }
  163. // now find the entry and check if it's within our rate limits
  164. bool bPerIpLimitingPerformed = false;
  165. IPStorage_t::IndexType_t ipEntry = m_IPStorage.Find( clientIP );
  166. if ( m_IPStorage.IsValidIndex( ipEntry ) )
  167. {
  168. bPerIpLimitingPerformed = true;
  169. iprate_val &iprateval = m_IPStorage.Element( ipEntry );
  170. if ( ( curTime - iprateval.lastTime ) > sv_max_queries_window.GetFloat() )
  171. {
  172. float query_rate = static_cast< float >( iprateval.count ) / sv_max_queries_window.GetFloat(); // add one so the bottom is never zero
  173. if ( query_rate > sv_max_queries_sec.GetFloat() )
  174. {
  175. if ( ( curTime - m_lLastPersonalDetection ) > sv_max_queries_window.GetFloat()/10 )
  176. {
  177. Msg( "IP rate limiting client %s sustained %u hits at %.1f pps (%u buckets, %u global count).\n", adr.ToString(), iprateval.count, query_rate, m_IPStorage.Count(), m_iGlobalCount );
  178. }
  179. }
  180. m_IPTimes.RemoveAt( iprateval.idxiptime );
  181. iprateval.idxiptime = m_IPTimes.Insert( curTime, clientIP );
  182. iprateval.lastTime = curTime;
  183. iprateval.count = 1;
  184. }
  185. else
  186. {
  187. ++ iprateval.count;
  188. float query_rate = static_cast< float >( iprateval.count ) / sv_max_queries_window.GetFloat(); // add one so the bottom is never zero
  189. if ( query_rate > sv_max_queries_sec.GetFloat() )
  190. {
  191. if ( ( curTime - m_lLastPersonalDetection ) > sv_max_queries_window.GetFloat() )
  192. {
  193. m_lLastPersonalDetection = curTime;
  194. Msg( "IP rate limiting client %s at %u hits (%u buckets, %u global count).\n", adr.ToString(), iprateval.count, m_IPStorage.Count(), m_iGlobalCount );
  195. }
  196. return false;
  197. }
  198. }
  199. }
  201. // now check the global rate
  202. m_iGlobalCount++;
  204. if( (curTime - m_lLastTime) > sv_max_queries_window.GetFloat() )
  205. {
  206. float query_rate = static_cast< float >( m_iGlobalCount ) / sv_max_queries_window.GetFloat(); // add one so the bottom is never zero
  207. if ( query_rate > sv_max_queries_sec_global.GetFloat() )
  208. {
  209. if ( ( curTime - m_lLastDistributedDetection ) > sv_max_queries_window.GetFloat()/10 )
  210. {
  211. Msg( "IP rate limit sustained %u distributed packets at %.1f pps (%u buckets).\n", m_iGlobalCount, query_rate, m_IPStorage.Count() );
  212. }
  213. }
  214. m_lLastTime = curTime;
  215. m_iGlobalCount = 1;
  216. }
  217. else
  218. {
  219. float query_rate = static_cast<float>( m_iGlobalCount ) / sv_max_queries_window.GetFloat(); // add one so the bottom is never zero
  220. if( query_rate > sv_max_queries_sec_global.GetFloat() )
  221. {
  222. if ( ( curTime - m_lLastDistributedDetection ) > sv_max_queries_window.GetFloat() )
  223. {
  224. m_lLastDistributedDetection = curTime;
  225. Msg( "IP rate limit under distributed packet load (%u buckets, %u global count), rejecting %s.\n", m_IPStorage.Count(), m_iGlobalCount, adr.ToString() );
  226. }
  227. return false;
  228. }
  229. }
  231. if ( !bPerIpLimitingPerformed )
  232. {
  233. iprate_val iprateval;
  234. iprateval.count = 1;
  235. iprateval.lastTime = curTime;
  237. // not found, insert this new guy
  238. iprateval.idxiptime = m_IPTimes.Insert( curTime, clientIP );
  239. m_IPStorage.Insert( clientIP, iprateval );
  240. }
  242. return true;
  243. }