quic: implement rate limiting for version nego and immediate close

jasnell · sxa · commit 26a30d8a7fac · 2026-06-18T21:12:33.000+01:00
Signed-off-by: James M Snell <jasnell@gmail.com> Assisted-by: Opencode:Opus 4.6 PR-URL: #63267 Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
diff --git a/src/quic/endpoint.cc b/src/quic/endpoint.cc
@@ -790,22 +790,30 @@ void Endpoint::SendRetry(const PathDescriptor& options) {
 
 void Endpoint::SendVersionNegotiation(const PathDescriptor& options) {
   Debug(this, "Sending version negotiation on path %s", options);
-  // While creating and sending a version negotiation packet does consume a
-  // small amount of system resources, and while it is fairly trivial for a
-  // malicious peer to force a version negotiation to be sent, these are more
-  // trivial to create than the cryptographically generated retry and stateless
-  // reset packets. If the packet is sent, then we'll at least increment the
-  // version_negotiation_count statistic so that application code can keep an
-  // eye on it.
+  // A malicious peer can trivially force version negotiation packets by
+  // sending packets with unsupported QUIC versions, potentially from
+  // spoofed source addresses. Rate-limit per remote host to prevent
+  // amplification attacks.
+  const auto exceeds_limits = [&] {
+    SocketAddressInfoTraits::Type* counts =
+        addr_validation_lru_.Peek(options.remote_address);
+    auto count = counts != nullptr ? counts->version_negotiation_count : 0;
+    return count >= kMaxVersionNegotiations;
+  };
+
+  if (exceeds_limits()) {
+    Debug(this, "Version negotiation rate limit exceeded for %s",
+          options.remote_address);
+    return;
+  }
+
   auto packet = Packet::CreateVersionNegotiationPacket(*this, options);
   if (packet) {
+    addr_validation_lru_.Upsert(options.remote_address)
+        ->version_negotiation_count++;
     STAT_INCREMENT(Stats, version_negotiation_count);
     Send(std::move(packet));
   }
-
-  // If creating the packet is unsuccessful, we just drop things on the floor.
-  // It's not worth committing any further resources to this one packet. We
-  // might want to log the failure at some point tho.
 }
 
 bool Endpoint::SendStatelessReset(const PathDescriptor& options,
@@ -847,11 +855,27 @@ void Endpoint::SendImmediateConnectionClose(const PathDescriptor& options,
         "Sending immediate connection close on path %s with reason %s",
         options,
         reason);
-  // While it is possible for a malicious peer to cause us to create a large
-  // number of these, generating them is fairly trivial.
+  // A malicious peer can trigger immediate connection close packets by
+  // sending Initial packets with invalid tokens or when the server is
+  // busy. Rate-limit per remote host to prevent amplification attacks.
+  const auto exceeds_limits = [&] {
+    SocketAddressInfoTraits::Type* counts =
+        addr_validation_lru_.Peek(options.remote_address);
+    auto count = counts != nullptr ? counts->immediate_close_count : 0;
+    return count >= kMaxImmediateCloses;
+  };
+
+  if (exceeds_limits()) {
+    Debug(this, "Immediate connection close rate limit exceeded for %s",
+          options.remote_address);
+    return;
+  }
+
   auto packet =
       Packet::CreateImmediateConnectionClosePacket(*this, options, reason);
   if (packet) {
+    addr_validation_lru_.Upsert(options.remote_address)
+        ->immediate_close_count++;
     STAT_INCREMENT(Stats, immediate_close_count);
     Send(std::move(packet));
   }
diff --git a/src/quic/endpoint.h b/src/quic/endpoint.h
@@ -32,6 +32,20 @@ class Endpoint final : public AsyncWrap, public Packet::Listener {
   static constexpr uint64_t DEFAULT_MAX_STATELESS_RESETS = 10;
   static constexpr uint64_t DEFAULT_MAX_RETRY_LIMIT = 10;
 
+  // Maximum number of version negotiation packets that will be sent to a
+  // given remote host within the LRU tracking window. Version negotiation
+  // packets are cheap to generate but can be used as an amplification
+  // vector with spoofed source addresses.
+  // TODO(@jasnell): Consider making this configurable via Endpoint::Options.
+  static constexpr uint64_t kMaxVersionNegotiations = 10;
+
+  // Maximum number of immediate connection close packets that will be sent
+  // to a given remote host within the LRU tracking window. These are sent
+  // when the server is busy or a token is invalid — a malicious peer could
+  // trigger a large number of them.
+  // TODO(@jasnell): Consider making this configurable via Endpoint::Options.
+  static constexpr uint64_t kMaxImmediateCloses = 10;
+
   // Endpoint configuration options
   struct Options final : public MemoryRetainer {
     // The local socket address to which the UDP port will be bound. The port
@@ -397,6 +411,8 @@ class Endpoint final : public AsyncWrap, public Packet::Listener {
       size_t active_connections;
       size_t reset_count;
       size_t retry_count;
+      size_t version_negotiation_count;
+      size_t immediate_close_count;
       uint64_t timestamp;
       bool validated;
     };
