* Updated jA's dummy socket to mod1137

* Added jA's ddos protection system
* Moved stall_time's reading to packet_athena.conf

git-svn-id: https://svn.code.sf.net/p/rathena/svn/branches/stable@1237 54d463be-8e91-2dee-dedb-b68131a5f0ec

Changelog-SVN.txt

@@ -1,5 +1,10 @@
 Date	Added
 
+03/16
+        * Updated jA's dummy socket to mod1137 [celest]
+        * Added jA's ddos protection system -- check packet_athena.conf [celest]
+        * Moved stall_time's reading from inter_athena.conf to packet_athena.conf
+
 03/15
         * Fixed a compile warning in pc.c [celest]
         * Updated Soul Breaker's damage display, by DracoRPG [celest]

conf-tmpl/inter_athena.conf

@@ -32,9 +32,6 @@ inter_log_filename: log/inter.log
 // Level range for sharing within a party
 party_share_level: 10
 
-// How long can a socket stall before closing the connection
-stall_time: 60
-
 
 
 // SQL version options only

conf-tmpl/packet_athena.conf

@@ -0,0 +1,46 @@
+// ソケット関連の設定です。 (Untranslated yet)
+
+
+// How long can a socket stall before closing the connection (in seconds)
+stall_time: 60
+
+//---- Ddos Protection Settings ----
+
+// デバッグ情報の表示（バグ報告の際にコピペして頂けると助かります）
+// debug: 1
+
+// ddos攻撃と判断する為のルール設定
+//     ddos_interval msec以内の接続要求がddos_count回続いた場合に、
+//     ddos攻撃されたと判定します。
+
+// 接続間隔(msec)
+ddos_interval: 3000
+
+// 接続回数
+ddos_count: 5
+
+// ddos制限を解除する間隔(msec)
+//     この時間経過すると、接続制限が解除されます。
+ddos_autoreset: 600000
+
+// アクセス制限の判定順序(Apacheと同じ)
+// deny,allow が標準になっています。
+
+order: deny,allow
+// order: allow,deny
+// order: mutual-failture
+
+// アクセスコントロールするIPリスト
+//   allow    : ddosチェックの結果に関係なく許可
+//   deny     : 不許可
+//   指定無し : ddosチェックの結果で許可 / 不許可を決定
+//              ただし、mutual-failture の場合は不許可になります。
+
+// allow: 127.0.0.1
+// allow: 192.168.0.0/16
+// allow: 10.0.0.0/255.0.0.0
+allow: all
+
+// deny: 127.0.0.1
+
+import: conf/import/packet_conf.txt

src/common/socket.c

@@ -29,9 +29,10 @@ typedef int socklen_t;
 #include <fcntl.h>
 #include <string.h>
 
-#include "mmo.h"	// [Valaris] thanks to fov
 #include "socket.h"
-#include "utils.h"
+#include "../common/mmo.h"	// [Valaris] thanks to fov
+#include "../common/timer.h"
+#include "../common/utils.h"
 
 #ifdef MEMWATCH
 #include "memwatch.h"
@@ -54,11 +55,9 @@ struct socket_data *session[FD_SETSIZE];
 static int null_parse(int fd);
 static int (*default_func_parse)(int) = null_parse;
 
-// fdが不正な時に代わりに読み書きするバッファ
-unsigned char socket_dummy[SOCKET_DUMMY_SIZE];
-
 static int null_console_parse(char *buf);
 static int (*default_console_parse)(char*) = null_console_parse;
+static int connect_check(unsigned int ip);
 
 /*======================================
  *	CORE : Set function
@@ -195,16 +194,20 @@ static int connect_client(int listen_fd)
 
 	setsocketopts(fd);
 
-	if(fd==-1)
+	if(fd==-1) {
 		perror("accept");
-	else
+		return -1;
+	} else if (!connect_check(*(unsigned int*)(&client_address.sin_addr))) {
+		close(fd);
+		return -1;
+	} else
 		FD_SET(fd,&readfds);
 
 #ifdef _WIN32
-        {
-	  	unsigned long val = 1;
-  		ioctlsocket(fd, FIONBIO, &val);
-        }
+	{
+		unsigned long val = 1;
+		ioctlsocket(fd, FIONBIO, &val);
+	}
 #else
 	result = fcntl(fd, F_SETFL, O_NONBLOCK);
 #endif
@@ -415,7 +418,7 @@ int make_connection(long ip,int port)
 
 int delete_session(int fd)
 {
-	if(fd<0 || fd>=FD_SETSIZE)
+	if(fd<=0 || fd>=FD_SETSIZE)
 		return -1;
 	FD_CLR(fd,&readfds);
 	if(session[fd]){
@@ -533,9 +536,269 @@ int do_parsepacket(void)
 	return 0;
 }
 
-void do_socket(void)
+/* DDoS 攻撃対策 */
+
+enum {
+	ACO_DENY_ALLOW=0,
+	ACO_ALLOW_DENY,
+	ACO_MUTUAL_FAILTURE,
+};
+
+struct _access_control {
+	unsigned int ip;
+	unsigned int mask;
+};
+
+static struct _access_control *access_allow;
+static struct _access_control *access_deny;
+static int access_order=ACO_DENY_ALLOW;
+static int access_allownum=0;
+static int access_denynum=0;
+static int access_debug;
+static int ddos_count     = 10;
+static int ddos_interval  = 3000;
+static int ddos_autoreset = 600*1000;
+
+struct _connect_history {
+	struct _connect_history *next;
+	struct _connect_history *prev;
+	int    status;
+	int    count;
+	unsigned int ip;
+	unsigned int tick;
+};
+static struct _connect_history *connect_history[0x10000];
+static int connect_check_(unsigned int ip);
+
+// 接続できるかどうかの確認
+//   false : 接続OK
+//   true  : 接続NG
+static int connect_check(unsigned int ip) {
+	int result = connect_check_(ip);
+	if(access_debug) {
+		printf("connect_check: connection from %08x %s\n",
+			ip,result ? "allowed" : "denied");
+	}
+	return result;
+}
+	
+static int connect_check_(unsigned int ip) {
+	struct _connect_history *hist     = connect_history[ip & 0xFFFF];
+	struct _connect_history *hist_new;
+	int    i,is_allowip = 0,is_denyip = 0,connect_ok = 0;
+
+	// allow , deny リストに入っているか確認
+	for(i = 0;i < access_allownum; i++) {
+		if((ip & access_allow[i].mask) == (access_allow[i].ip & access_allow[i].mask)) {
+			if(access_debug) {
+				printf("connect_check: match allow list from:%08x ip:%08x mask:%08x\n",
+					ip,access_allow[i].ip,access_allow[i].mask);
+			}
+			is_allowip = 1;
+			break;
+		}
+	}
+	for(i = 0;i < access_denynum; i++) {
+		if((ip & access_deny[i].mask) == (access_deny[i].ip & access_deny[i].mask)) {
+			if(access_debug) {
+				printf("connect_check: match deny list  from:%08x ip:%08x mask:%08x\n",
+					ip,access_deny[i].ip,access_deny[i].mask);
+			}
+			is_denyip = 1;
+			break;
+		}
+	}
+	// コネクト出来るかどうか確認
+	// connect_ok
+	//   0 : 無条件に拒否
+	//   1 : 田代砲チェックの結果次第
+	//   2 : 無条件に許可
+	switch(access_order) {
+	case ACO_DENY_ALLOW:
+	default:
+		if(is_allowip) {
+			connect_ok = 2;
+		} else if(is_denyip) {
+			connect_ok = 0;
+		} else {
+			connect_ok = 1;
+		}
+		break;
+	case ACO_ALLOW_DENY:
+		if(is_denyip) {
+			connect_ok = 0;
+		} else if(is_allowip) {
+			connect_ok = 2;
+		} else {
+			connect_ok = 1;
+		}
+		break;
+	case ACO_MUTUAL_FAILTURE:
+		if(is_allowip) {
+			connect_ok = 2;
+		} else {
+			connect_ok = 0;
+		}
+		break;
+	}
+
+	// 接続履歴を調べる
+	while(hist) {
+		if(ip == hist->ip) {
+			// 同じIP発見
+			if(hist->status) {
+				// ban フラグが立ってる
+				return (connect_ok == 2 ? 1 : 0);
+			} else if(DIFF_TICK(gettick(),hist->tick) < ddos_interval) {
+				// ddos_interval秒以内にリクエスト有り
+				hist->tick = gettick();
+				if(hist->count++ >= ddos_count) {
+					// ddos 攻撃を検出
+					hist->status = 1;
+					printf("connect_check: ddos attack detected (%d.%d.%d.%d)\n",
+						ip & 0xFF,(ip >> 8) & 0xFF,(ip >> 16) & 0xFF,ip >> 24);
+					return (connect_ok == 2 ? 1 : 0);
+				} else {
+					return connect_ok;
+				}
+			} else {
+				// ddos_interval秒以内にリクエスト無いのでタイマークリア
+				hist->tick  = gettick();
+				hist->count = 0;
+				return connect_ok;
+			}
+		}
+		hist = hist->next;
+	}
+	// IPリストに無いので新規作成
+	hist_new = aCalloc(1,sizeof(struct _connect_history));
+	hist_new->ip   = ip;
+	hist_new->tick = gettick();
+	if(connect_history[ip & 0xFFFF] != NULL) {
+		hist = connect_history[ip & 0xFFFF];
+		hist->prev = hist_new;
+		hist_new->next = hist;
+	}
+	connect_history[ip & 0xFFFF] = hist_new;
+	return connect_ok;
+}
+
+static int connect_check_clear(int tid,unsigned int tick,int id,int data) {
+	int i;
+	int clear = 0;
+	int list  = 0;
+	struct _connect_history *hist , *hist2;
+	for(i = 0;i < 0x10000 ; i++) {
+		hist = connect_history[i];
+		while(hist) {
+			if(
+				(DIFF_TICK(tick,hist->tick) > ddos_interval * 3 && !hist->status) ||
+				(DIFF_TICK(tick,hist->tick) > ddos_autoreset && hist->status)
+			) {
+				// clear data
+				hist2 = hist->next;
+				if(hist->prev) {
+					hist->prev->next = hist->next;
+				} else {
+					connect_history[i] = hist->next;
+				}
+				if(hist->next) {
+					hist->next->prev = hist->prev;
+				}
+				aFree(hist);
+				hist = hist2;
+				clear++;
+			} else {
+				hist = hist->next;
+				list++;
+			}
+		}
+	}
+	if(access_debug) {
+		printf("connect_check_clear: clear = %d list = %d\n",clear,list);
+	}
+	return list;
+}
+
+// IPマスクチェック
+int access_ipmask(const char *str,struct _access_control* acc)
 {
-	FD_ZERO(&readfds);
+	unsigned int mask=0,i=0,m,ip, a0,a1,a2,a3;
+	if( !strcmp(str,"all") ) {
+		ip   = 0;
+		mask = 0;
+	} else {
+		if( sscanf(str,"%d.%d.%d.%d%n",&a0,&a1,&a2,&a3,&i)!=4 || i==0) {
+			printf("access_ipmask: unknown format %s\n",str);
+			return 0;
+		}
+		ip = (a3 << 24) | (a2 << 16) | (a1 << 8) | a0;
+
+		if(sscanf(str+i,"/%d.%d.%d.%d",&a0,&a1,&a2,&a3)==4 ){
+			mask = (a3 << 24) | (a2 << 16) | (a1 << 8) | a0;
+		} else if(sscanf(str+i,"/%d",&m) == 1) {
+			for(i=0;i<m;i++) {
+				mask = (mask >> 1) | 0x80000000;
+			}
+			mask = ntohl(mask);
+		} else {
+			mask = 0xFFFFFFFF;
+		}
+	}
+	if(access_debug) {
+		printf("access_ipmask: ip:%08x mask:%08x %s\n",ip,mask,str);
+	}
+	acc->ip   = ip;
+	acc->mask = mask;
+	return 1;
+}
+
+int socket_config_read(const char *cfgName) {
+	int i;
+	char line[1024],w1[1024],w2[1024];
+	FILE *fp;
+
+	fp=fopen(cfgName, "r");
+	if(fp==NULL){
+		printf("File not found: %s\n", cfgName);
+		return 1;
+	}
+	while(fgets(line,1020,fp)){
+		if(line[0] == '/' && line[1] == '/')
+			continue;
+		i=sscanf(line,"%[^:]: %[^\r\n]",w1,w2);
+		if(i!=2)
+			continue;
+		if(strcmpi(w1,"stall_time")==0){
+			stall_time_ = atoi(w2);
+		} else if(strcmpi(w1,"order")==0){
+			access_order=atoi(w2);
+			if(strcmpi(w2,"deny,allow")==0) access_order=ACO_DENY_ALLOW;
+			if(strcmpi(w2,"allow,deny")==0) access_order=ACO_ALLOW_DENY;
+			if(strcmpi(w2,"mutual-failture")==0) access_order=ACO_MUTUAL_FAILTURE;
+		} else if(strcmpi(w1,"allow")==0){
+			access_allow = aRealloc(access_allow,(access_allownum+1)*sizeof(struct _access_control));
+			if(access_ipmask(w2,&access_allow[access_allownum])) {
+				access_allownum++;
+			}
+		} else if(strcmpi(w1,"deny")==0){
+			access_deny = aRealloc(access_deny,(access_denynum+1)*sizeof(struct _access_control));
+			if(access_ipmask(w2,&access_deny[access_denynum])) {
+				access_denynum++;
+			}
+		} else if(!strcmpi(w1,"ddos_interval")){
+			ddos_interval = atoi(w2);
+		} else if(!strcmpi(w1,"ddos_count")){
+			ddos_count = atoi(w2);
+		} else if(!strcmpi(w1,"ddos_autoreset")){
+			ddos_autoreset = atoi(w2);
+		} else if(!strcmpi(w1,"debug")){
+			access_debug = atoi(w2);
+		} else if (strcmpi(w1, "import") == 0)
+			socket_config_read(w2);
+	}
+	fclose(fp);
+	return 0;
 }
 
 int RFIFOSKIP(int fd,int len)
@@ -638,3 +901,53 @@ int  Net_Init(void)
 
   return(0);
 }
+
+void do_final_socket(void)
+{
+	int i;
+	struct _connect_history *hist , *hist2;
+	for(i=0; i<fd_max; i++) {
+		if(session[i]) {
+			delete_session(i);
+		}
+	}
+	for(i=0; i<0x10000; i++) {
+		hist = connect_history[i];
+		while(hist) {
+			hist2 = hist->next;
+			aFree(hist);
+			hist = hist2;
+		}
+	}
+	if (access_allow)
+		aFree(access_allow);
+	if (access_deny)
+		aFree(access_deny);
+
+	// session[0] のダミーデータを削除
+	if (session[0]) {
+		aFree(session[0]->rdata);
+		aFree(session[0]->wdata);
+		aFree(session[0]);
+	}
+}
+
+void do_socket(void)
+{
+	char *SOCKET_CONF_FILENAME = "conf/packet_athena.conf";
+
+	FD_ZERO(&readfds);
+
+	atexit(do_final_socket);
+	socket_config_read(SOCKET_CONF_FILENAME);
+
+	// session[0] にダミーデータを確保する
+	CREATE(session[0], struct socket_data, 1);
+	CREATE_A(session[0]->rdata, unsigned char, rfifo_size);
+	CREATE_A(session[0]->wdata, unsigned char, wfifo_size);
+	session[0]->max_rdata   = rfifo_size;
+	session[0]->max_wdata   = wfifo_size;
+
+	// とりあえず５分ごとに不要なデータを削除する
+	add_timer_interval(gettick()+1000,connect_check_clear,0,0,300*1000);
+}

src/common/socket.h

@@ -22,18 +22,14 @@ extern time_t stall_time_;
 
 // define declaration
 
-// fdが不正な時に代わりに読み書きするバッファ
-#define SOCKET_DUMMY_SIZE 32768
-extern unsigned char socket_dummy[SOCKET_DUMMY_SIZE];
-
-#define RFIFOSPACE(fd) (fd <= 0 ? SOCKET_DUMMY_SIZE : session[fd]->max_rdata-session[fd]->rdata_size)
-#define RFIFOP(fd,pos) (fd <= 0 ? socket_dummy : session[fd]->rdata+session[fd]->rdata_pos+(pos))
+#define RFIFOSPACE(fd) (session[fd]->max_rdata-session[fd]->rdata_size)
+#define RFIFOP(fd,pos) (session[fd]->rdata+session[fd]->rdata_pos+(pos))
 // use function instead of macro.
 #define RFIFOB(fd,pos) (*(unsigned char*)RFIFOP(fd,pos))
 #define RFIFOW(fd,pos) (*(unsigned short*)RFIFOP(fd,pos))
 #define RFIFOL(fd,pos) (*(unsigned int*)RFIFOP(fd,pos))
-#define RFIFOREST(fd)  (fd <= 0 ? 0 : session[fd]->rdata_size-session[fd]->rdata_pos)
-#define RFIFOFLUSH(fd) (fd <= 0 ? 0 : memmove(session[fd]->rdata,RFIFOP(fd,0),RFIFOREST(fd)),session[fd]->rdata_size=RFIFOREST(fd),session[fd]->rdata_pos=0)
+#define RFIFOREST(fd)  (session[fd]->rdata_size-session[fd]->rdata_pos)
+#define RFIFOFLUSH(fd) (memmove(session[fd]->rdata,RFIFOP(fd,0),RFIFOREST(fd)),session[fd]->rdata_size=RFIFOREST(fd),session[fd]->rdata_pos=0)
 //#define RFIFOSKIP(fd,len) ((session[fd]->rdata_size-session[fd]->rdata_pos-(len)<0) ? (fprintf(stderr,"too many skip\n"),exit(1)) : (session[fd]->rdata_pos+=(len)))
 
 #define RBUFP(p,pos) (((unsigned char*)(p))+(pos))
@@ -41,8 +37,8 @@ extern unsigned char socket_dummy[SOCKET_DUMMY_SIZE];
 #define RBUFW(p,pos) (*(unsigned short*)RBUFP((p),(pos)))
 #define RBUFL(p,pos) (*(unsigned int*)RBUFP((p),(pos)))
 
-#define WFIFOSPACE(fd) (fd <= 0 ? SOCKET_DUMMY_SIZE : session[fd]->max_wdata-session[fd]->wdata_size)
-#define WFIFOP(fd,pos) (fd <= 0 ? socket_dummy : session[fd]->wdata+session[fd]->wdata_size+(pos))
+#define WFIFOSPACE(fd) (session[fd]->max_wdata-session[fd]->wdata_size)
+#define WFIFOP(fd,pos) (session[fd]->wdata+session[fd]->wdata_size+(pos))
 #define WFIFOB(fd,pos) (*(unsigned char*)WFIFOP(fd,pos))
 #define WFIFOW(fd,pos) (*(unsigned short*)WFIFOP(fd,pos))
 #define WFIFOL(fd,pos) (*(unsigned int*)WFIFOP(fd,pos))

src/map/clif.c

@@ -973,7 +973,7 @@ int clif_mob_equip(struct mob_data *md, int nameid) {
  */
 static int clif_mob0078(struct mob_data *md, unsigned char *buf)
 {
-	int level;
+	int level, i;
 
 	memset(buf,0,packet_len_table[0x78]);
 
@@ -986,7 +986,7 @@ static int clif_mob0078(struct mob_data *md, unsigned char *buf)
 	WBUFW(buf,10)=md->opt2;
 	WBUFW(buf,12)=md->option;
 	WBUFW(buf,14)=mob_get_viewclass(md->class_);
-	if((mob_get_viewclass(md->class_) <= 23) || (mob_get_viewclass(md->class_) == 812) || (mob_get_viewclass(md->class_) >= 4001)) {
+	if((i=mob_get_viewclass(md->class_)) <= 23 || i == 812 || i >= 4001) {
 		WBUFW(buf,12)|=mob_db[md->class_].option;
 		WBUFW(buf,16)=mob_get_hair(md->class_);
 		WBUFW(buf,18)=mob_get_weapon(md->class_);
@@ -1360,7 +1360,7 @@ int clif_spawnmob(struct mob_data *md)
 
 	nullpo_retr(0, md);
 
-	if (mob_get_viewclass(md->class_) > 23 ) {
+	if (mob_get_viewclass(md->class_) > 23) {
 		memset(buf,0,packet_len_table[0x7c]);
 
 		WBUFW(buf,0)=0x7c;

src/map/map.c

@@ -2896,8 +2896,10 @@ int inter_config_read(char *cfgName)
 		i=sscanf(line,"%[^:]: %[^\r\n]",w1,w2);
 		if(i!=2)
 			continue;
-		if(strcmpi(w1,"stall_time")==0){
-			stall_time_ = atoi(w2);
+		//support the import command, just like any other config
+		if(strcmpi(w1,"import")==0){
+			inter_config_read(w2);
+		}
 	#ifndef TXT_ONLY
 		} else if(strcmpi(w1,"item_db_db")==0){
 			strcpy(item_db_db,w2);
@@ -2959,9 +2961,6 @@ int inter_config_read(char *cfgName)
 		} else if(strcmpi(w1,"log_db_port")==0) {
 			log_db_port = atoi(w2);
 	#endif
-		//support the import command, just like any other config
-		} else if(strcmpi(w1,"import")==0){
-			inter_config_read(w2);
 		}
 	}
 	fclose(fp);