X-Git-Url: http://tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fnet_socket.c;h=ded9224d48dd720bfd11ccb7e9c6f334da0d8060;hb=24e3ec863ec463186501f76961c6d4b1dfe122af;hp=1b49aeeb4090865dd357cc235e1dffc24fe0de72;hpb=2eba7933053d7d21bf82e647978ee90abe98dc3a;p=tinc

diff --git a/src/net_socket.c b/src/net_socket.c
index 1b49aeeb..ded9224d 100644
--- a/src/net_socket.c
+++ b/src/net_socket.c
@@ -45,6 +45,7 @@ int maxtimeout = 900;
 int seconds_till_retry = 5;
 int udp_rcvbuf = 0;
 int udp_sndbuf = 0;
+int max_connection_burst = 100;
 
 listen_socket_t listen_socket[MAXSOCKETS];
 int listen_sockets;
@@ -561,6 +562,47 @@ void handle_new_meta_connection(void *data, int flags) {
 
 	sockaddrunmap(&sa);
 
+	// Check if we get many connections from the same host
+
+	static sockaddr_t prev_sa;
+	static time_t prev_time;
+	static int tarpit = -1;
+
+	if(tarpit >= 0) {
+		closesocket(tarpit);
+		tarpit = -1;
+	}
+
+	if(prev_time == now.tv_sec && !sockaddrcmp_noport(&sa, &prev_sa)) {
+		// if so, keep the connection open but ignore it completely.
+		tarpit = fd;
+		return;
+	}
+
+	memcpy(&prev_sa, &sa, sizeof sa);
+	prev_time = now.tv_sec;
+
+	// Check if we get many connections from different hosts
+
+	static int connection_burst;
+	static int connection_burst_time;
+
+	if(now.tv_sec - connection_burst_time > connection_burst)
+		connection_burst = 0;
+	else
+		connection_burst -= now.tv_sec - connection_burst_time;
+
+	connection_burst_time = now.tv_sec;
+	connection_burst++;
+
+	if(connection_burst >= max_connection_burst) {
+		connection_burst = max_connection_burst;
+		tarpit = fd;
+		return;
+	}
+
+	// Accept the new connection
+
 	c = new_connection();
 	c->name = xstrdup("<unknown>");
 	c->outcipher = myself->connection->outcipher;