/** Handle a client being rejected during connection through no fault
* of their own. This "undoes" the effect of ip_registry_check_local()
* so the client's address is not penalized for the failure.
* @param[in] addr Address of rejected client.
*/
void ip_registry_connect_fail(const struct irc_in_addr *addr)
{
struct IPRegistryEntry* entry = ip_registry_find(addr);
if (entry && 0 == --entry->attempts) {
Debug((DEBUG_DNS, "IPcheck noting local connection failure for %s.", ircd_ntoa(&entry->addr)));
++entry->attempts;
}
}
/** Check whether a new connection from a local client should be allowed.
* A connection is rejected if someone from the "same" address (see
* ip_registry_find()) connects IPCHECK_CLONE_LIMIT times, each time
* separated by no more than IPCHECK_CLONE_PERIOD seconds.
* @param[in] addr Address of client.
* @param[out] next_target_out Receives time to grant another free target.
* @return Non-zero if the connection is permitted, zero if denied.
*/
int ip_registry_check_local(const struct irc_in_addr *addr, time_t* next_target_out)
{
struct IPRegistryEntry* entry = ip_registry_find(addr);
unsigned int free_targets = STARTTARGETS;
if (0 == entry) {
entry = ip_registry_new_entry();
ip_registry_canonicalize(&entry->addr, addr);
ip_registry_add(entry);
Debug((DEBUG_DNS, "IPcheck added new registry for local connection from %s.", ircd_ntoa(&entry->addr)));
return 1;
}
/* Note that this also counts server connects.
* It is hard and not interesting, to change that.
* Refuse connection if it would overflow the counter.
*/
if (0 == ++entry->connected)
{
entry->connected--;
Debug((DEBUG_DNS, "IPcheck refusing local connection from %s: counter overflow.", ircd_ntoa(&entry->addr)));
return 0;
}
if (CONNECTED_SINCE(entry->last_connect) > IPCHECK_CLONE_PERIOD)
entry->attempts = 0;
free_targets = ip_registry_update_free_targets(entry);
entry->last_connect = NOW;
if (0 == ++entry->attempts) /* Check for overflow */
--entry->attempts;
if (entry->attempts < IPCHECK_CLONE_LIMIT) {
if (next_target_out)
*next_target_out = CurrentTime - (TARGET_DELAY * free_targets - 1);
}
else if ((CurrentTime - cli_since(&me)) > IPCHECK_CLONE_DELAY) {
/*
* Don't refuse connection when we just rebooted the server
*/
#ifndef NOTHROTTLE
assert(entry->connected > 0);
--entry->connected;
Debug((DEBUG_DNS, "IPcheck refusing local connection from %s: too fast.", ircd_ntoa(&entry->addr)));
return 0;
#endif
}
Debug((DEBUG_DNS, "IPcheck accepting local connection from %s.", ircd_ntoa(&entry->addr)));
return 1;
}
/** Handle a client being rejected during connection through no fault
* of their own. This "undoes" the effect of ip_registry_check_local()
* so the client's address is not penalized for the failure.
* @param[in] addr Address of rejected client.
* @param[in] disconnect If true, also count the client as disconnecting.
*/
void ip_registry_connect_fail(const struct irc_in_addr *addr, int disconnect)
{
struct IPRegistryEntry* entry = ip_registry_find(addr);
if (entry) {
if (0 == --entry->attempts) {
Debug((DEBUG_DNS, "IPcheck noting local connection failure for %s.", ircd_ntoa(&entry->addr)));
++entry->attempts;
}
if (disconnect) {
assert(entry->connected > 0);
entry->connected--;
}
}
}
/** Handle a client that has successfully connected.
* This copies free target information to \a cptr from his address's
* registry entry and sends him a NOTICE describing the parameters for
* the entry.
* @param[in,out] cptr Client that has successfully connected.
*/
void ip_registry_connect_succeeded(struct Client *cptr)
{
const char* tr = "";
unsigned int free_targets = STARTTARGETS;
struct IPRegistryEntry* entry = ip_registry_find(&cli_ip(cptr));
assert(entry);
if (entry->target) {
memcpy(cli_targets(cptr), entry->target->targets, MAXTARGETS);
free_targets = entry->target->count;
tr = " tr";
}
Debug((DEBUG_DNS, "IPcheck noting local connection success for %s.", ircd_ntoa(&entry->addr)));
sendcmdto_one(&me, CMD_NOTICE, cptr, "%C :on %u ca %u(%u) ft %u(%u)%s",
cptr, entry->connected, entry->attempts, IPCHECK_CLONE_LIMIT,
free_targets, STARTTARGETS, tr);
}
/** Check whether a connection from a remote client should be allowed.
* This is much more relaxed than ip_registry_check_local(): The only
* cause for rejection is when the IPRegistryEntry::connected counter
* would overflow.
* @param[in] cptr Client that has connected.
* @param[in] is_burst Non-zero if client was introduced during a burst.
* @return Non-zero if the client should be accepted, zero if they must be killed.
*/
int ip_registry_check_remote(struct Client* cptr, int is_burst)
{
struct IPRegistryEntry* entry;
/*
* Mark that we did add/update an IPregistry entry
*/
SetIPChecked(cptr);
if (!irc_in_addr_valid(&cli_ip(cptr))) {
Debug((DEBUG_DNS, "IPcheck accepting remote connection from invalid %s.", ircd_ntoa(&cli_ip(cptr))));
return 1;
}
entry = ip_registry_find(&cli_ip(cptr));
if (0 == entry) {
entry = ip_registry_new_entry();
ip_registry_canonicalize(&entry->addr, &cli_ip(cptr));
if (is_burst)
entry->attempts = 0;
ip_registry_add(entry);
Debug((DEBUG_DNS, "IPcheck added new registry for remote connection from %s.", ircd_ntoa(&entry->addr)));
return 1;
}
/* Avoid overflowing the connection counter. */
if (0 == ++entry->connected) {
Debug((DEBUG_DNS, "IPcheck refusing remote connection from %s: counter overflow.", ircd_ntoa(&entry->addr)));
return 0;
}
if (CONNECTED_SINCE(entry->last_connect) > IPCHECK_CLONE_PERIOD)
entry->attempts = 0;
if (!is_burst) {
if (0 == ++entry->attempts) {
/*
* Check for overflow
*/
--entry->attempts;
}
ip_registry_update_free_targets(entry);
entry->last_connect = NOW;
}
Debug((DEBUG_DNS, "IPcheck counting remote connection from %s.", ircd_ntoa(&entry->addr)));
return 1;
}
/** Find number of clients from a particular IP address.
* @param[in] addr Address to look up.
* @return Number of clients known to be connected from that address.
*/
int ip_registry_count(const struct irc_in_addr *addr)
{
struct IPRegistryEntry* entry = ip_registry_find(addr);
return (entry) ? entry->connected : 0;
}
/** Handle a client that decided to disconnect (or was killed after
* completing his connection). This updates the free target
* information for his IP registry entry.
* @param[in] cptr Client that has exited.
*/
void ip_registry_disconnect(struct Client *cptr)
{
struct IPRegistryEntry* entry = ip_registry_find(&cli_ip(cptr));
if (!irc_in_addr_valid(&cli_ip(cptr))) {
Debug((DEBUG_DNS, "IPcheck noting dicconnect from invalid %s.", ircd_ntoa(&cli_ip(cptr))));
return;
}
assert(entry);
assert(entry->connected > 0);
Debug((DEBUG_DNS, "IPcheck noting disconnect from %s.", ircd_ntoa(&entry->addr)));
/*
* If this was the last one, set `last_connect' to disconnect time (used for expiration)
*/
if (0 == --entry->connected) {
if (CONNECTED_SINCE(entry->last_connect) > IPCHECK_CLONE_LIMIT * IPCHECK_CLONE_PERIOD) {
/*
* Otherwise we'd penalize for this old value if the client reconnects within 20 seconds
*/
entry->attempts = 0;
}
ip_registry_update_free_targets(entry);
entry->last_connect = NOW;
}
if (MyConnect(cptr)) {
unsigned int free_targets;
/*
* Copy the clients targets
*/
if (0 == entry->target) {
entry->target = (struct IPTargetEntry*) MyMalloc(sizeof(struct IPTargetEntry));
entry->target->count = STARTTARGETS;
}
assert(0 != entry->target);
memcpy(entry->target->targets, cli_targets(cptr), MAXTARGETS);
/*
* This calculation can be pretty unfair towards large multi-user hosts, but
* there is "nothing" we can do without also allowing spam bots to send more
* messages or by drastically increasing the amount of memory used in the IPregistry.
*
* The problem is that when a client disconnects, leaving no free targets, then
* the next client from that IP number has to pay for it (getting no free targets).
* But ALSO the next client, and the next client, and the next client etc - until
* another client disconnects that DOES leave free targets. The reason for this
* is that if there are 10 SPAM bots, and they all disconnect at once, then they
* ALL should get no free targets when reconnecting. We'd need to store an entry
* per client (instead of per IP number) to avoid this.
*/
if (cli_nexttarget(cptr) < CurrentTime) {
/*
* Number of free targets
*/
free_targets = (CurrentTime - cli_nexttarget(cptr)) / TARGET_DELAY + 1;
}
else
free_targets = 0;
/*
* Add bonus, this is pretty fuzzy, but it will help in some cases.
*/
if ((CurrentTime - cli_firsttime(cptr)) > 600)
/*
* Was longer then 10 minutes online?
*/
free_targets += (CurrentTime - cli_firsttime(cptr) - 600) / TARGET_DELAY;
/*
* Finally, store smallest value for Judgment Day
*/
if (free_targets < entry->target->count)
entry->target->count = free_targets;
}
}
