1 ändrade filer med 27 tillägg och 17 borttagningar
+ 27
- 17
README.md
Visa fil
| @@ -1,12 +1,30 @@ | |||
| # NF_DHCP_Filter | |||
| # DHCP Protect | |||
| A userspace application that filters DHCP floods to protect a DHCP server. It uses the Netfilter userspace packet queuing API. | |||
| DHCP Protect is a userspace application that filters DHCPv4 and DHCPv6 floods to protect a DHCP server. It uses the Netfilter userspace packet queuing API. | |||
| # Dependencies | |||
| # How it works | |||
| DHCP Protect receives every packet that enters the iptables NFQUEUE. It will count the number of queries sent by a client and if `max_pkt_per_interval` is reached within `interval` time, it will blacklist the client. While a client is blacklisted, the accounting continues, this means that when the `blacklist_time` is over and if the client continued to flood the DHCP server, the client will NOT be unblacklisted. The blacklist expiration time will be pushed forward as long as the client continues to flood. | |||
| ## What is a client? | |||
| ### DHCPv4 | |||
| In DHCPv4 DHCP Protect will primarly look for option 82, suboption 2 (remoteID). If this is not available it will use the hardware address field. | |||
| ### DHCPv6 | |||
| In DHCPv6 DHCP Protect will account based on the client DUID. | |||
| # Installation | |||
| ``` | |||
| git clone https://git.home.spale.com/dhcp_protect.git | |||
| cd dhcp_protect | |||
| apt-get install build-essential uthash-dev libnetfilter-queue-dev | |||
| make all | |||
| make install | |||
| ``` | |||
| Note: the `make install` will automatically create, enable and start the systemd service and the `make uninstall` will stop and remove the systemd service. | |||
| # Configuration | |||
| The configuration file may be tuned, but the defaults should be fine. | |||
| ``` | |||
| # max_pkt_per_interval | |||
| # maximum number of packets authorised per time interval. | |||
| @@ -18,7 +36,7 @@ interval=30 | |||
| # debug | |||
| # enable debugging, warning, very verbose | |||
| debug=1 | |||
| debug=0 | |||
| # blacklist_time | |||
| # number of seconds this client will be ignored once | |||
| @@ -35,25 +53,17 @@ queue=67 | |||
| # this can be used for testing, syslog will still display the blacklisting | |||
| # actions. | |||
| # Set to 0 for production. | |||
| dryrun=1 | |||
| dryrun=0 | |||
| ``` | |||
| # Run | |||
| # Starting / Stopping | |||
| ``` | |||
| root@router:~/dhcp_protect# ./dhcp_protect ./dhcp_protect.conf | |||
| Loading configuration ./dhcp_protect.conf | |||
| Configuration: | |||
| dryrun = Yes | |||
| debug = Yes | |||
| interval = 30s | |||
| max_pkt_per_interval = 30 | |||
| blacklist_time = 55s | |||
| queue = 67 | |||
| root@hostname:~/# systemd <start|stop|restart> dhcp_protect | |||
| ``` | |||
| # Logging | |||
| # Logging / Accounting | |||
| The program will log to system every time a client is added or removed from the blacklist. | |||
| The program will log to system every blacklisting action to syslog. | |||
| ``` | |||
| Oct 23 16:50:18 router dhcp_protect[9706]: 00000000021b: blacklisting started | |||
Laddar…