This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/opensource-wg@ripe.net/
[opensource-wg] new project: DHCP Protect
- Previous message (by thread): [opensource-wg] Light(e)ning talks
- Next message (by thread): [opensource-wg] new project: DHCP Protect
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Pascal Gloor
pascal.gloor at spale.com
Fri Oct 25 13:18:32 CEST 2019
Hi Community, NOTE: I hope this post is appropriate in this mailinglist, please let me know if it isn’t. I don’t know about you, but as an ISP we’ve always faced the problem of crazy DHCP clients (v4 and v6) flooding our servers. While at my employer we have a proprietary DHCP server with anti-flood mechanisms it might not the case for everyone. This is why I wrote DHCP Protect. DHCP Protect works with the userspace API of Netfilter (iptables/ip6tables) and will treat each DHCP(v4/v6) packet and decide if it should be forwarded or not. Don’t worry, iptables can be configured in a way that if the program is not working, it will ACCEPT the packets by default. There are no packages available, but don’t be scared, it’s really simple to install and it will do all the systemd stuff for you! After make install it will already be running (you can also make uninstall which will delete everything and remove it from systemd). git clone https://git.home.spale.com/dhcp_protect.git cd dhcp_protect sudo apt-get install build-essential uthash-dev libnetfilter-queue-dev make all sudo make install That’s it. And then you need the iptables/ip6tables rule: iptables -A INPUT -p udp -m udp --dport 67 -j NFQUEUE --queue-num 67 --queue-bypass ip6tables -A INPUT -p udp -m udp --dport 547 -j NFQUEUE --queue-num 67 --queue-bypass (SAME queue number! the program can treat v4/v6 at the same time) It doesn’t need to be on the DHCP server itself, it can also be run on the path, in that case replace INPUT by FORWARD. The program will log to syslog when it blacklists. I’ve tested this with 10kpps and the CPU load of the program was about 4-6% on one core (AMD Ryzen 7 2700X). There’s also a flooding perl client in the repository to test the performance. It can do pseudo DHCPv4/DHCPv6, but since it’s pseudo, don’t use the perftest.pl against a real DHCP server. More information in the README -> https://git.home.spale.com/public/dhcp_protect I’d be glad on feedback! It is useful? what additional features would you like to see? Thanks for reading Pascal
- Previous message (by thread): [opensource-wg] Light(e)ning talks
- Next message (by thread): [opensource-wg] new project: DHCP Protect
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]