Add a cost in number of connections per IP to prevent DoS attacks

doc/sample.config

@@ -215,9 +215,11 @@ min-reauth-time = 300
 
 # Banning clients in ocserv works with a point system. IP addresses
 # that get a score over that configured number are banned for
-# min-reauth-time seconds. A wrong password attempt is 5 points.
+# min-reauth-time seconds. A wrong password attempt is 10 points,
+# a connection is 1 point.
+#
 # Set to zero to disable.
-max-ban-score = 30
+max-ban-score = 50
 
 # The time (in seconds) that all score kept for a client is reset.
 ban-reset-time = 300

src/main-ban.c

@@ -189,7 +189,9 @@ unsigned check_if_banned(main_server_st *s, struct sockaddr_storage *addr, sockl
 		return 0;
 
 	if (human_addr2((struct sockaddr*)addr, addr_size, t.ip, sizeof(t.ip), 0) != NULL) {
-		/* pass the current time somehow */
+		/* add its current connection points */
+		add_ip_to_ban_list(s, t.ip, CONNECT_POINTS);
+
 		now = time(0);
 		e = htable_get(db, rehash(&t, NULL), ban_entry_cmp, &t);
 		if (e != NULL) {

src/ocserv-args.def

@@ -290,9 +290,11 @@ min-reauth-time = 120
 
 # Banning clients in ocserv works with a point system. IP addresses
 # that get a score over that configured number are banned for
-# min-reauth-time seconds. A wrong password attempt is 5 points.
+# min-reauth-time seconds. A wrong password attempt is 10 points,
+# a connection is 1 point.
+#
 # Set to zero to disable.
-max-ban-score = 30
+max-ban-score = 50
 
 # The time (in seconds) that all score kept for a client is reset.
 ban-reset-time = 300

src/vpn.h

@@ -61,7 +61,8 @@ typedef enum {
  * attempt gives you PASSWORD_POINTS, and you are banned
  * when the maximum ban score is reached.
  */
-#define PASSWORD_POINTS 5
+#define PASSWORD_POINTS 10
+#define CONNECT_POINTS 1
 #define DEFAULT_MAX_BAN_SCORE (MAX_PASSWORD_TRIES*PASSWORD_POINTS)
 #define DEFAULT_BAN_RESET_TIME 300