Probing resistance via timeout (#28)

server.go

@@ -40,6 +40,8 @@ import (
 
 var logger *logging.Logger
 
+const tcpReadTimeout time.Duration = 59 * time.Second
+
 func init() {
 	var prefix = "%{level:.1s}%{time:2006-01-02T15:04:05.000Z07:00} %{pid} %{shortfile}]"
 	if terminal.IsTerminal(int(os.Stderr.Fd())) {
@@ -75,7 +77,7 @@ func (s *SSServer) startPort(portNum int) error {
 	logger.Infof("Listening TCP and UDP on port %v", portNum)
 	port := &SSPort{cipherList: shadowsocks.NewCipherList()}
 	// TODO: Register initial data metrics at zero.
-	port.tcpService = shadowsocks.NewTCPService(listener, &port.cipherList, s.m)
+	port.tcpService = shadowsocks.NewTCPService(listener, &port.cipherList, s.m, tcpReadTimeout)
 	port.udpService = shadowsocks.NewUDPService(packetConn, s.natTimeout, &port.cipherList, s.m)
 	s.ports[portNum] = port
 	go port.udpService.Start()

shadowsocks/tcp.go

@@ -18,6 +18,7 @@ import (
 	"bytes"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net"
 	"time"
 
@@ -29,7 +30,7 @@ import (
 )
 
 // Reads bytes from reader and appends to buf to ensure the needed number of bytes.
-// The cpacity of buf must be at least bytesNeeded.
+// The capacity of buf must be at least bytesNeeded.
 func ensureBytes(reader io.Reader, buf []byte, bytesNeeded int) ([]byte, error) {
 	if cap(buf) < bytesNeeded {
 		return buf, io.ErrShortBuffer
@@ -109,19 +110,20 @@ func findAccessKey(clientConn onet.DuplexConn, cipherList CipherList) (string, o
 		ssw := NewShadowsocksWriter(clientConn, cipher)
 		return id, onet.WrapConn(clientConn, ssr, ssw).(onet.DuplexConn), nil
 	}
-	return "", nil, fmt.Errorf("Could not find valid TCP cipher")
+	return "", clientConn, fmt.Errorf("Could not find valid TCP cipher")
 }
 
 type tcpService struct {
-	listener  *net.TCPListener
-	ciphers   *CipherList
-	m         metrics.ShadowsocksMetrics
-	isRunning bool
+	listener    *net.TCPListener
+	ciphers     *CipherList
+	m           metrics.ShadowsocksMetrics
+	isRunning   bool
+	readTimeout time.Duration
 }
 
 // NewTCPService creates a TCPService
-func NewTCPService(listener *net.TCPListener, ciphers *CipherList, m metrics.ShadowsocksMetrics) TCPService {
-	return &tcpService{listener: listener, ciphers: ciphers, m: m}
+func NewTCPService(listener *net.TCPListener, ciphers *CipherList, m metrics.ShadowsocksMetrics, timeout time.Duration) TCPService {
+	return &tcpService{listener: listener, ciphers: ciphers, m: m, readTimeout: timeout}
 }
 
 // TCPService is a Shadowsocks TCP service that can be started and stopped.
@@ -189,6 +191,7 @@ func (s *tcpService) Start() {
 			}()
 			connStart := time.Now()
 			clientConn.(*net.TCPConn).SetKeepAlive(true)
+			clientConn.SetReadDeadline(connStart.Add(s.readTimeout))
 			keyID := ""
 			var proxyMetrics metrics.ProxyMetrics
 			var timeToCipher time.Duration
@@ -210,9 +213,12 @@ func (s *tcpService) Start() {
 			timeToCipher = time.Now().Sub(findStartTime)
 
 			if err != nil {
+				logger.Debugf("Failed to find a valid cipher after reading %v bytes: %v", proxyMetrics.ClientProxy, err)
+				io.Copy(ioutil.Discard, clientConn) // drain socket
 				return onet.NewConnectionError("ERR_CIPHER", "Failed to find a valid cipher", err)
 			}
 
+			clientConn.SetReadDeadline(time.Time{})
 			return proxyConnection(clientConn, &proxyMetrics)
 		}()
 	}

shadowsocks/tcp_test.go

@@ -21,8 +21,8 @@ import (
 	"testing"
 	"time"
 
-	logging "github.com/op/go-logging"
 	onet "github.com/Jigsaw-Code/outline-ss-server/net"
+	logging "github.com/op/go-logging"
 )
 
 // Simulates receiving invalid TCP connection attempts on a server with 100 ciphers.