HTTP/3: traffic-based flood detection.

With this patch, all traffic over HTTP/3 bidi and uni streams is counted in
the h3c->total_bytes field, and payload traffic is counted in the
h3c->payload_bytes field.  As long as total traffic is many times larger than
payload traffic, we consider this to be a flood.

Request header traffic is counted as if all fields are literal.  Response
header traffic is counted as is.

1 files changed, 19 insertions, 0 deletions

diff --git a/src/http/v3/ngx_http_v3.c b/src/http/v3/ngx_http_v3.c
index 2c838f4b5..500113509 100644
--- a/src/http/v3/ngx_http_v3.c
+++ b/src/http/v3/ngx_http_v3.c
@@ -86,3 +86,22 @@ ngx_http_v3_cleanup_session(void *data)
         ngx_del_timer(&h3c->keepalive);
     }
 }
+
+
+ngx_int_t
+ngx_http_v3_check_flood(ngx_connection_t *c)
+{
+    ngx_http_v3_session_t  *h3c;
+
+    h3c = ngx_http_v3_get_session(c);
+
+    if (h3c->total_bytes / 8 > h3c->payload_bytes + 1048576) {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0, "http3 flood detected");
+
+        ngx_http_v3_finalize_connection(c, NGX_HTTP_V3_ERR_NO_ERROR,
+                                        "HTTP/3 flood detected");
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+}