Add connection rate limiting.
Tinc now strictly limits incoming connections from the same host to 1 per second. For incoming connections from multiple hosts short bursts of incoming connections are allowed (by default 100), but on average also only 1 connection per second is allowed. When an incoming connection exceeds the limit, tinc will keep the connection in a tarpit; the connection will be kept open but it is ignored completely. Only one connection is in a tarpit at a time to limit the number of useless open connections.
This commit is contained in:
Guus Sliepen
parent
2eba793305
commit
24e3ec863e
6 changed files with 62 additions and 2 deletions
|
|
@ -1101,6 +1101,13 @@ impossible to crack a single key.
|
|||
This option controls the amount of time MAC addresses are kept before they are removed.
|
||||
This only has effect when Mode is set to "switch".
|
||||
|
||||
@cindex MaxConnectionBurst
|
||||
@item MaxConnectionBurst = <@var{count}> (100)
|
||||
This option controls how many connections tinc accepts in quick succession.
|
||||
If there are more connections than the given number in a short time interval,
|
||||
tinc will reduce the number of accepted connections to only one per second,
|
||||
until the burst has passed.
|
||||
|
||||
@cindex Name
|
||||
@item Name = <@var{name}> [required]
|
||||
This is a symbolic name for this connection.
|
||||
|
|
@ -1182,7 +1189,6 @@ reordering. Setting this to zero will disable replay tracking completely and
|
|||
pass all traffic, but leaves tinc vulnerable to replay-based attacks on your
|
||||
traffic.
|
||||
|
||||
|
||||
@cindex StrictSubnets
|
||||
@item StrictSubnets <yes|no> (no) [experimental]
|
||||
When this option is enabled tinc will only use Subnet statements which are
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue