From feela at network.cz Mon Oct 14 15:32:38 2019 From: feela at network.cz (Ondrej Filip) Date: Mon, 14 Oct 2019 15:32:38 +0200 Subject: [opensource-wg] Light(e)ning talks Message-ID: Dear WG members, as usually we have some time for lightning talks at the end of our meeting. If you want to deliver a short (about 5 min) presentation, please contact us before Tuesday 14:00 local time. Your OS WG chairs Martin & Ondrej opensource-wg-chairs at ripe.net From pascal.gloor at spale.com Fri Oct 25 13:18:32 2019 From: pascal.gloor at spale.com (Pascal Gloor) Date: Fri, 25 Oct 2019 13:18:32 +0200 Subject: [opensource-wg] new project: DHCP Protect Message-ID: <3F135D1D-151A-4B11-8FDC-BC63D96503F6@spale.com> Hi Community, NOTE: I hope this post is appropriate in this mailinglist, please let me know if it isn?t. I don?t know about you, but as an ISP we?ve always faced the problem of crazy DHCP clients (v4 and v6) flooding our servers. While at my employer we have a proprietary DHCP server with anti-flood mechanisms it might not the case for everyone. This is why I wrote DHCP Protect. DHCP Protect works with the userspace API of Netfilter (iptables/ip6tables) and will treat each DHCP(v4/v6) packet and decide if it should be forwarded or not. Don?t worry, iptables can be configured in a way that if the program is not working, it will ACCEPT the packets by default. There are no packages available, but don?t be scared, it?s really simple to install and it will do all the systemd stuff for you! After make install it will already be running (you can also make uninstall which will delete everything and remove it from systemd). git clone https://git.home.spale.com/dhcp_protect.git cd dhcp_protect sudo apt-get install build-essential uthash-dev libnetfilter-queue-dev make all sudo make install That?s it. And then you need the iptables/ip6tables rule: iptables -A INPUT -p udp -m udp --dport 67 -j NFQUEUE --queue-num 67 --queue-bypass ip6tables -A INPUT -p udp -m udp --dport 547 -j NFQUEUE --queue-num 67 --queue-bypass (SAME queue number! the program can treat v4/v6 at the same time) It doesn?t need to be on the DHCP server itself, it can also be run on the path, in that case replace INPUT by FORWARD. The program will log to syslog when it blacklists. I?ve tested this with 10kpps and the CPU load of the program was about 4-6% on one core (AMD Ryzen 7 2700X). There?s also a flooding perl client in the repository to test the performance. It can do pseudo DHCPv4/DHCPv6, but since it?s pseudo, don?t use the perftest.pl against a real DHCP server. More information in the README -> https://git.home.spale.com/public/dhcp_protect I?d be glad on feedback! It is useful? what additional features would you like to see? Thanks for reading Pascal From pascal.gloor at spale.com Fri Oct 25 13:44:14 2019 From: pascal.gloor at spale.com (Pascal Gloor) Date: Fri, 25 Oct 2019 13:44:14 +0200 Subject: [opensource-wg] new project: DHCP Protect In-Reply-To: <3F135D1D-151A-4B11-8FDC-BC63D96503F6@spale.com> References: <3F135D1D-151A-4B11-8FDC-BC63D96503F6@spale.com> Message-ID: <4DF6DAFF-43CB-46C4-9CA3-43DA7291D67F@spale.com> I just realised there?s a error in the git path: it should be https://git.home.spale.com/public/dhcp_protect.git Sorry about that. Pascal From matt at peterson.org Tue Oct 29 05:35:54 2019 From: matt at peterson.org (Matt Peterson) Date: Mon, 28 Oct 2019 21:35:54 -0700 Subject: [opensource-wg] new project: DHCP Protect In-Reply-To: <3F135D1D-151A-4B11-8FDC-BC63D96503F6@spale.com> References: <3F135D1D-151A-4B11-8FDC-BC63D96503F6@spale.com> Message-ID: Out of curiosity, did ya inquire with the ISC folks about adding such "rate limiting" functionality to Kea? It's under fairly active development and they seem responsive to user community. --Matt On Fri, Oct 25, 2019 at 4:18 AM Pascal Gloor wrote: > Hi Community, > > NOTE: I hope this post is appropriate in this mailinglist, please let me > know if it isn?t. > > I don?t know about you, but as an ISP we?ve always faced the problem of > crazy DHCP clients (v4 and v6) flooding our servers. While at my employer > we have a proprietary DHCP server with anti-flood mechanisms it might not > the case for everyone. > > This is why I wrote DHCP Protect. DHCP Protect works with the userspace > API of Netfilter (iptables/ip6tables) and will treat each DHCP(v4/v6) > packet and decide if it should be forwarded or not. > > Don?t worry, iptables can be configured in a way that if the program is > not working, it will ACCEPT the packets by default. > > > There are no packages available, but don?t be scared, it?s really simple > to install and it will do all the systemd stuff for you! After make install > it will already be running (you can also make uninstall which will delete > everything and remove it from systemd). > > git clone https://git.home.spale.com/dhcp_protect.git > cd dhcp_protect > sudo apt-get install build-essential uthash-dev libnetfilter-queue-dev > make all > sudo make install > > That?s it. > > And then you need the iptables/ip6tables rule: > > iptables -A INPUT -p udp -m udp --dport 67 -j NFQUEUE --queue-num 67 > --queue-bypass > ip6tables -A INPUT -p udp -m udp --dport 547 -j NFQUEUE --queue-num 67 > --queue-bypass > > (SAME queue number! the program can treat v4/v6 at the same time) > > It doesn?t need to be on the DHCP server itself, it can also be run on the > path, in that case replace INPUT by FORWARD. > > The program will log to syslog when it blacklists. > > I?ve tested this with 10kpps and the CPU load of the program was about > 4-6% on one core (AMD Ryzen 7 2700X). > > There?s also a flooding perl client in the repository to test the > performance. It can do pseudo DHCPv4/DHCPv6, but since it?s pseudo, don?t > use the perftest.pl against a real DHCP server. > > > More information in the README -> > https://git.home.spale.com/public/dhcp_protect > > I?d be glad on feedback! It is useful? what additional features would you > like to see? > > Thanks for reading > Pascal > > > > > _______________________________________________ > opensource-wg mailing list > opensource-wg at ripe.net > https://lists.ripe.net/mailman/listinfo/opensource-wg > -------------- next part -------------- An HTML attachment was scrubbed... URL: