Skip to content

Commit

Permalink
Merge pull request #30 from Jigsaw-Code/tatianab-probing-resistance
Browse files Browse the repository at this point in the history
added comments for probing resistance
  • Loading branch information
tatianab authored Sep 11, 2019
2 parents c70d512 + b0824f1 commit 6f403f6
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 0 deletions.
1 change: 1 addition & 0 deletions server.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ import (

var logger *logging.Logger

// 59 seconds is most common timeout for servers that do not respond to invalid requests
const tcpReadTimeout time.Duration = 59 * time.Second

func init() {
Expand Down
3 changes: 3 additions & 0 deletions shadowsocks/tcp.go
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,7 @@ func (s *tcpService) Start() {
}()
connStart := time.Now()
clientConn.(*net.TCPConn).SetKeepAlive(true)
// Set a deadline for connection authentication
clientConn.SetReadDeadline(connStart.Add(s.readTimeout))
keyID := ""
var proxyMetrics metrics.ProxyMetrics
Expand All @@ -213,11 +214,13 @@ func (s *tcpService) Start() {
timeToCipher = time.Now().Sub(findStartTime)

if err != nil {
// Keep the connection open until we hit the authentication deadline to protect against probing attacks
logger.Debugf("Failed to find a valid cipher after reading %v bytes: %v", proxyMetrics.ClientProxy, err)
io.Copy(ioutil.Discard, clientConn) // drain socket
return onet.NewConnectionError("ERR_CIPHER", "Failed to find a valid cipher", err)
}

// Clear the authentication deadline
clientConn.SetReadDeadline(time.Time{})
return proxyConnection(clientConn, &proxyMetrics)
}()
Expand Down

0 comments on commit 6f403f6

Please sign in to comment.