Please sign in to comment.
Add ratelimits for the legacy handshake
There are two sets of variables for this ratelimit First, there are `sv_old_clients_per_interval` and `sv_old_clients_interval` which specify an interval and the number of clients that can join during that time without being ratelimited. If you get ratelimited, you get a one in `sv_old_clients_skip` chance of still continuing the handshake. Together, this should maintain usability while not under attack and still being able to connect while under attack. The defaults are a maximum of 5 connections in 20 seconds without ratelimit and then only accepting every twentieth connection attempt. This comes from the following calculation: A legacy connection request packet consists of 4 bytes UDP data bytes, the response to that weighs at most 57 UDP data bytes. This results in a reflection rate of ~15, so 20 should be rather safe from that. If I add the other protocol headers, I get 42 extra bytes per packet for IPv4 and 62 extra bytes per packet for IPv6 (determined with Wireshark). In these cases, the reflection rate is just around 3 or around 2.7, respectively. So perhaps one could lower `sv_old_clients_skip` furtherly. There's an expected waiting time of `sv_old_clients_skip` / 2 seconds for legitimate clients because those send a connection attempt every 500ms, with a geometric distribution.
- Loading branch information...
Showing with 51 additions and 0 deletions.