DDoS防护增加秒级连接速率限制

2025-11-03 20:40:25 +08:00 · 2022-08-31 10:01:00 +08:00
parent 6348e97214
commit 0eef019a87
3 changed files with 33 additions and 30 deletions
--- a/pkg/dnsconfigs/defaults.go
+++ b/pkg/dnsconfigs/defaults.go
@@ -12,14 +12,15 @@ const (
 	DefaultMaxThreadsMin = 1000    // 单节点最大线程数最小值
 	DefaultMaxThreadsMax = 100_000 // 单节点最大线程数最大值

-	DefaultTCPMaxConnections                = 100_000 // 单节点TCP最大连接数
-	DefaultTCPMaxConnectionsPerIP           = 1000    // 单IP最大连接数
-	DefaultTCPMinConnectionsPerIP           = 5       // 单IP最小连接数
-	DefaultTCPNewConnectionsRate            = 500     // 单IP连接速率限制（按分钟）
-	DefaultTCPNewConnectionsMinRate         = 5       // 单IP最小连接速率
-	DefaultTCPDenyNewConnectionsRate        = 1000    // 加入黑名单的连接速率
-	DefaultTCPDenyNewConnectionsMinRate     = 5       // 加入黑名单的最小连接速率
-	DefaultTCPDenyNewConnectionsRateTimeout = 1800    // 超过黑名单连接速率禁止时间
+	DefaultTCPMaxConnections      = 100_000 // 单节点TCP最大连接数
+	DefaultTCPMaxConnectionsPerIP = 1000    // 单IP最大连接数
+	DefaultTCPMinConnectionsPerIP = 5       // 单IP最小连接数
+
+	DefaultTCPNewConnectionsMinutelyRate    = 500 // 单IP连接速率限制（按分钟）
+	DefaultTCPNewConnectionsMinMinutelyRate = 3   // 单IP最小连接速率
+
+	DefaultTCPNewConnectionsSecondlyRate    = 300 // 单IP连接速率限制（按秒）
+	DefaultTCPNewConnectionsMinSecondlyRate = 3   // 单IP最小连接速率

 	DefaultTCPLinger           = 3 // 单节点TCP Linger值
 	DefaultTLSHandshakeTimeout = 3 // TLS握手超时时间
@@ -29,9 +30,8 @@ var DefaultConfigs = maps.Map{
 	"tcpMaxConnections":                DefaultTCPMaxConnections,
 	"tcpMaxConnectionsPerIP":           DefaultTCPMaxConnectionsPerIP,
 	"tcpMinConnectionsPerIP":           DefaultTCPMinConnectionsPerIP,
-	"tcpNewConnectionsRate":            DefaultTCPNewConnectionsRate,
-	"tcpNewConnectionsMinRate":         DefaultTCPNewConnectionsMinRate,
-	"tcpDenyNewConnectionsRate":        DefaultTCPDenyNewConnectionsRate,
-	"tcpDenyNewConnectionsMinRate":     DefaultTCPDenyNewConnectionsMinRate,
-	"tcpDenyNewConnectionsRateTimeout": DefaultTCPDenyNewConnectionsRateTimeout,
+	"tcpNewConnectionsMinutelyRate":    DefaultTCPNewConnectionsMinutelyRate,
+	"tcpNewConnectionsMinMinutelyRate": DefaultTCPNewConnectionsMinMinutelyRate,
+	"tcpNewConnectionsSecondlyRate":    DefaultTCPNewConnectionsSecondlyRate,
+	"tcpNewConnectionsMinSecondlyRate": DefaultTCPNewConnectionsMinSecondlyRate,
 }
--- a/pkg/nodeconfigs/defaults.go
+++ b/pkg/nodeconfigs/defaults.go
@@ -12,14 +12,15 @@ const (
 	DefaultMaxThreadsMin = 1000    // 单节点最大线程数最小值
 	DefaultMaxThreadsMax = 100_000 // 单节点最大线程数最大值

-	DefaultTCPMaxConnections                = 100_000 // 单节点TCP最大连接数
-	DefaultTCPMaxConnectionsPerIP           = 1000    // 单IP最大连接数
-	DefaultTCPMinConnectionsPerIP           = 5       // 单IP最小连接数
-	DefaultTCPNewConnectionsRate            = 500     // 单IP连接速率限制（按分钟）
-	DefaultTCPNewConnectionsMinRate         = 5       // 单IP最小连接速率
-	DefaultTCPDenyNewConnectionsRate        = 1000    // 加入黑名单的连接速率
-	DefaultTCPDenyNewConnectionsMinRate     = 5       // 加入黑名单的最小连接速率
-	DefaultTCPDenyNewConnectionsRateTimeout = 1800    // 超过黑名单连接速率禁止时间
+	DefaultTCPMaxConnections      = 100_000 // 单节点TCP最大连接数
+	DefaultTCPMaxConnectionsPerIP = 1000    // 单IP最大连接数
+	DefaultTCPMinConnectionsPerIP = 5       // 单IP最小连接数
+
+	DefaultTCPNewConnectionsMinutelyRate    = 500 // 单IP连接速率限制（按分钟）
+	DefaultTCPNewConnectionsMinMinutelyRate = 3   // 单IP最小连接速率
+
+	DefaultTCPNewConnectionsSecondlyRate    = 300 // 单IP连接速率限制（按秒）
+	DefaultTCPNewConnectionsMinSecondlyRate = 3   // 单IP最小连接速率

 	DefaultTCPLinger           = 3 // 单节点TCP Linger值
 	DefaultTLSHandshakeTimeout = 3 // TLS握手超时时间
@@ -29,9 +30,8 @@ var DefaultConfigs = maps.Map{
 	"tcpMaxConnections":                DefaultTCPMaxConnections,
 	"tcpMaxConnectionsPerIP":           DefaultTCPMaxConnectionsPerIP,
 	"tcpMinConnectionsPerIP":           DefaultTCPMinConnectionsPerIP,
-	"tcpNewConnectionsRate":            DefaultTCPNewConnectionsRate,
-	"tcpNewConnectionsMinRate":         DefaultTCPNewConnectionsMinRate,
-	"tcpDenyNewConnectionsRate":        DefaultTCPDenyNewConnectionsRate,
-	"tcpDenyNewConnectionsMinRate":     DefaultTCPDenyNewConnectionsMinRate,
-	"tcpDenyNewConnectionsRateTimeout": DefaultTCPDenyNewConnectionsRateTimeout,
+	"tcpNewConnectionsMinutelyRate":    DefaultTCPNewConnectionsMinutelyRate,
+	"tcpNewConnectionsMinMinutelyRate": DefaultTCPNewConnectionsMinMinutelyRate,
+	"tcpNewConnectionsSecondlyRate":    DefaultTCPNewConnectionsSecondlyRate,
+	"tcpNewConnectionsMinSecondlyRate": DefaultTCPNewConnectionsMinSecondlyRate,
 }
--- a/pkg/serverconfigs/ddosconfigs/tcp_config.go
+++ b/pkg/serverconfigs/ddosconfigs/tcp_config.go
@@ -7,11 +7,14 @@ type TCPConfig struct {
 	IsOn                bool  `json:"isOn"`
 	MaxConnections      int32 `json:"maxConnections"`
 	MaxConnectionsPerIP int32 `json:"maxConnectionsPerIP"`
-	NewConnectionsRate  int32 `json:"newConnectionsRate"`

-	// 自动加入黑名单连接速率
-	DenyNewConnectionsRate        int32 `json:"denyNewConnectionsRate"`
-	DenyNewConnectionsRateTimeout int32 `json:"denyNewConnectionsRateTimeout"`
+	// 分钟级速率
+	NewConnectionsMinutelyRate             int32 `json:"newConnectionsRate"`             // 分钟
+	NewConnectionsMinutelyRateBlockTimeout int32 `json:"newConnectionsRateBlockTimeout"` // 拦截时间
+
+	// 秒级速率
+	NewConnectionsSecondlyRate             int32 `json:"newConnectionsSecondlyRate"`
+	NewConnectionsSecondlyRateBlockTimeout int32 `json:"newConnectionsSecondlyRateBlockTimeout"`

 	AllowIPList []*IPConfig   `json:"allowIPList"`
 	Ports       []*PortConfig `json:"ports"`