public
/
dhcp_protect
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
A userspace application that filters DHCP floods to protect a DHCP server. It uses the Netfilter userspace packet queuing API.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
Tree: 1382cd41b6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1382cd41b6'
${ noResults }
dhcp_protect/dhcp_protect.c

dhcp_protect.c 7.6KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348 
  1. // dhcp_protect.c

  2. 

  3. #include <stdio.h>

  4. #include <stdlib.h>

  5. #include <string.h>

  6. #include <unistd.h>

  7. #include <stdint.h>

  8. #include <errno.h>

  9. #include <time.h>

  10. #include <linux/netfilter.h>

  11. #include <libnetfilter_queue/libnetfilter_queue.h>

  12. #include <uthash.h>

  13. #include "dhcp_protect.h"

  14. 

  15. // main function

  16. int main(int argc, char **argv) {

  17. 	char *configfile;

  18. 	dp_conf conf;

  19. 	struct nfq_q_handle *qh;

  20. 

  21. 	if ( argc == 2 ) {

  22. 		configfile = argv[1];

  23. 	}

  24. 	else {

  25. 		usage(argv[0]);

  26. 		return EXIT_FAILURE;

  27. 	}

  28. 

  29. 	if ( load_config(&conf, configfile) == NULL )

  30. 		return EXIT_FAILURE;

  31. 

  32. 	nfq_start(&conf);

  33. 

  34. 	return 0;

  35. }

  36. 

  37. // start netfilter queue

  38. void nfq_start(dp_conf *conf) {

  39. 	struct nfq_handle *h;

  40. 	struct nfq_q_handle *qh;

  41. 	int fd;

  42. 

  43. 	if ( ( h = nfq_open() ) == NULL ) {

  44. 		fprintf(stderr,"error during nfq_open() %s\n", strerror(errno));

  45. 		return;

  46. 	}

  47. 

  48. 	if ( ( qh = nfq_create_queue(h, conf->queue, &dp_callback, conf) ) == NULL ) {

  49. 		fprintf(stderr, "error during nfq_create_queue() %s\n", strerror(errno));

  50. 		return;

  51. 	}

  52. 

  53. 	if ( nfq_set_mode(qh, NFQNL_COPY_PACKET, 1500) < 0 ) {

  54. 		fprintf(stderr,"error during nfq_set_mode() %s\n", strerror(errno));

  55. 		return;

  56. 	}

  57. 

  58. 	if ( nfq_set_queue_flags(qh, NFQA_CFG_F_FAIL_OPEN, NFQA_CFG_F_FAIL_OPEN) < 0 ) {

  59. 		fprintf(stderr,"error during nfq_set_queue_flags() %s\n", strerror(errno));

  60. 		return;

  61. 	}

  62. 

  63. 	fd = nfq_fd(h);

  64. 

  65. 	while(1) {

  66. 		static char buf[65536];

  67. 		int rv;

  68. 

  69. 		if ((rv = recv(fd, buf, sizeof(buf), 0)) >= 0) {

  70. 			nfq_handle_packet(h, buf, rv); /* send packet to callback */

  71. 		}

  72. 	}

  73. }

  74. 

  75. // display usage

  76. void usage(char *prog) {

  77. 	fprintf(stderr,"Usage: %s <configuration file>\n",prog);

  78. }

  79. 

  80. 

  81. // load configuration file

  82. dp_conf *load_config(dp_conf *conf, char *file) {

  83. 	FILE *fh;

  84. 	char *line = NULL;

  85. 	size_t len = 0;

  86. 	int error = 0;

  87. 

  88. 	printf("Loading configuration %s\n",file);

  89. 	

  90. 

  91. 	if ( ( fh = fopen(file,"r") ) == NULL ) {

  92. 		fprintf(stderr,"Failed to open configuration file '%s': %s\n", file, strerror(errno));

  93. 		return NULL;

  94. 	}

  95. 

  96. 	while (getline(&line, &len, fh) != -1) {

  97. 		char *name, *value;

  98. 

  99. 		name  = strtok(line, "=\r\n ");

  100. 		value = strtok(NULL,"=\r\n ");

  101. 

  102. 		if ( name == NULL || value == NULL || name[0] == '#' )

  103. 			continue;

  104. 

  105. 		if ( strcmp(name,"max_pkt_per_interval")==0 )

  106. 			conf->pktint = atoi(value);

  107. 		else if ( strcmp(name,"interval")==0 )

  108. 			conf->interval = atoi(value);

  109. 		else if ( strcmp(name, "debug")==0 )

  110. 			conf->debug = atoi(value) ? 1 : 0;

  111. 		else if ( strcmp(name, "blacklist_time")==0 )

  112. 			conf->bltime = atoi(value);

  113. 		else if ( strcmp(name, "queue")==0 )

  114. 			conf->queue = atoi(value);

  115. 		else

  116. 			fprintf(stderr,"unknown directive '%s', ignored\n", name);

  117. 

  118. 		free(line);

  119. 	}

  120. 	fclose(fh);

  121. 

  122. 	if ( conf->pktint < 1 || conf->pktint > 1000 ) {

  123. 		fprintf(stderr,"max_pkt_per_interval value invalid (min 1, max 1000)\n");

  124. 		error=1;

  125. 	}

  126. 	if ( conf->interval < 10 || conf->interval > 60 ) {

  127. 		fprintf(stderr,"interval value invalid (min 10, max 60)\n");

  128. 		error=1;

  129. 	}

  130. 	if ( conf->debug < 0 || conf->debug > 1 ) {

  131. 		fprintf(stderr,"debug value invalid (0 or 1)\n");

  132. 		error=1;

  133. 	}

  134. 	if ( conf->bltime < 10 || conf->bltime > 900 ) {

  135. 		fprintf(stderr,"blacklist_time value invalid (min 10, max 900)\n");

  136. 		error=1;

  137. 	}

  138. 	if ( conf->queue < 0 ) {

  139. 		fprintf(stderr,"queue must be a positive integer\n");

  140. 		error=1;

  141. 	}

  142. 

  143. 	if ( error )

  144. 		return NULL;

  145. 

  146. 	printf("Configuration:\n");

  147. 	printf("\t%-20s = %4i\n", "max_pkt_per_interval", conf->pktint);

  148. 	printf("\t%-20s = %4i\n", "interval", conf->interval);

  149. 	printf("\t%-20s = %4i\n", "debug", conf->debug);

  150. 	printf("\t%-20s = %4i\n", "blacklist_time", conf->bltime);

  151. 	printf("\t%-20s = %4i\n", "queue", conf->queue);

  152. 

  153. 

  154. 	return conf;

  155. }

  156. 

  157. // decode dhcp packet

  158. u_int32_t dhcp_check(struct nfq_data *nfa, int *verdict, dp_conf *conf) {

  159. 	unsigned char *pkt;

  160. 	int pktlen;

  161. 	int offset = 0;

  162. 	unsigned char *remoteid;

  163. 	int remoteidlen = 0;

  164. 	int found = 0;

  165. 	uint8_t ipver = 0;

  166. 	uint8_t ihl = 0;

  167. 	int i;

  168. 

  169. 	pktlen = nfq_get_payload(nfa, &pkt);

  170. 

  171. 	for(i=0; i<pktlen; i++) {

  172. 		if ( !(i%16) ) printf("\n");

  173. 		printf("%02x ", pkt[i]);

  174. 	}

  175. 

  176. 	// can we read the IP proto and IP header length ?

  177. 	if ( pktlen > 0 ) {

  178. 		ipver = pkt[offset];

  179. 		ipver >>= 4;

  180. 		ihl   = pkt[offset];

  181. 		ihl  &= 0x0f;

  182. 

  183. 		if ( ipver != 4 ) {

  184. 			if ( conf->debug ) printf("not an IPv4 packet\n");

  185. 			return NF_ACCEPT;

  186. 		}

  187. 

  188. 		// jump over the IPv4 header

  189. 		offset += ihl * 4;

  190. 	}

  191. 

  192. 

  193. 	// jump over UDP + DHCP header

  194. 	offset += 8 + 28 + 16 + 64 + 128;

  195. 

  196. 	// minimum packet size, fixed header + magic cookie (4 octets)

  197. 	if ( pktlen < offset + 4 ) {

  198. 		if ( conf->debug ) printf("packet too small\n");

  199. 		return NF_ACCEPT;

  200. 	}

  201. 

  202. 	// check magic cookie

  203. 	if ( pkt[offset] != 99 || pkt[offset+1] != 130 || pkt[offset+2] != 83 || pkt[offset+3] != 99 ) {

  204. 		if ( conf->debug ) printf("invalid magic cookie %02x%02x%02x%02x\n", pkt[offset], pkt[offset+1], pkt[offset+2], pkt[offset+3]);

  205. 		return NF_ACCEPT;

  206. 	}

  207. 	offset+=4;

  208. 

  209. 

  210. 	// parse TLV options

  211. 	while(offset<pktlen && !found) {

  212. 		uint8_t type = pkt[offset];

  213. 		uint8_t len;

  214. 

  215. 		offset++;

  216. 

  217. 		printf("type : %i\n",type);

  218. 

  219. 		// padding of 1 octet

  220. 		if ( type == 0 ) {

  221. 			continue;

  222. 		}

  223. 

  224. 		// end of options

  225. 		if ( type == 255 )

  226. 			break;

  227. 

  228. 		// make sure we can read len

  229. 		if ( offset>=pktlen )

  230. 			break;

  231. 

  232. 		len = pkt[offset];

  233. 		offset++;

  234. 

  235. 		printf("len  : %i\n", len);

  236. 

  237. 		// can the value be read

  238. 		if ( offset+len>=pktlen )

  239. 			break;

  240. 

  241. 		// option 82 parser

  242. 		if ( type == 82 ) {

  243. 			unsigned char *o82 = pkt+offset;

  244. 			int o82off = 0;

  245. 

  246. 			// loop until the end, +2 to ensure we can read type and length

  247. 			while(o82off+2<len && !found) {

  248. 				uint8_t otype = o82[o82off];

  249. 				uint8_t olen  = o82[o82off+1];

  250. 				o82off+=2;

  251. 

  252. 				printf("o82 type=%i len=%i\n", otype, olen);

  253. 

  254. 				// remoteid

  255. 				if ( otype == 2 ) {

  256. 					// make sure we don't overflow and can read all data

  257. 					if ( o82off + olen > len ) {

  258. 						if ( conf->debug) printf("option 82.2 data too long\n");

  259. 						return NF_ACCEPT;

  260. 					}

  261. 					else {

  262. 						remoteid = o82 + o82off;

  263. 						remoteidlen = olen;

  264. 						found=1;

  265. 					}

  266. 				}

  267. 

  268. 				o82off+=olen;

  269. 			}

  270. 		}

  271. 

  272. 		offset+=len;

  273. 	}

  274. 

  275. 	if ( found ) {

  276. 		dp_blacklist_count(conf, remoteid, remoteidlen);

  277. 		if ( dp_blacklist_check(conf, remoteid, remoteidlen) )

  278. 			return NF_ACCEPT;

  279. 		else

  280. 			return NF_DROP;

  281. 	}

  282. 

  283. 	printf("got a packet, len = %i\n", pktlen);

  284. 	return NF_ACCEPT;

  285. }

  286. 

  287. // netfilter queue callback

  288. static int dp_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) {

  289. 	dp_conf *conf = (dp_conf*)data;

  290. 	int verdict;

  291. 	u_int32_t id = dhcp_check(nfa, &verdict, conf); /* Treat packet */

  292. 	return nfq_set_verdict(qh, id, verdict, 0, NULL); /* Verdict packet */

  293. }

  294. 

  295. void dp_blacklist_count(dp_conf *conf, unsigned char *remoteid, int len) {

  296. 	int i;

  297. 	dp_blacklist *bl, *tmp;

  298. 

  299. 	// does the element already exist

  300. 	HASH_FIND(hh, blacklists, remoteid, len, bl);

  301. 

  302. 	// found it, increment the counter

  303. 	if ( bl ) {

  304. 		if ( conf->debug ) printf("BL: item found, incrementing\n");

  305. 		bl->count++;

  306. 	}

  307. 	// not found, create a new one

  308. 	else {

  309. 		bl = malloc(sizeof(dp_blacklist));

  310. 

  311. 		memcpy(bl->remoteid, remoteid, len);

  312. 		bl->len = len;

  313. 		bl->count = 1;

  314. 

  315. 		if ( conf->debug ) printf("BL: item not found, creating\n");

  316. 

  317. 		HASH_ADD(hh, blacklists, remoteid, len, bl);

  318. 	}

  319. 

  320. 	printf("count this remoteid ");

  321. 	for(i=0; i<len; i++) printf("%02x",*(uint8_t*)(remoteid+i));

  322. 	printf("\n");

  323. 

  324. 	// is it time to cleanup the list?

  325. 	if ( dp_timestamp + conf->interval < time(NULL) ) {

  326. 		if ( conf->debug ) printf("cleanup interval\n");

  327. 		dp_timestamp = time(NULL);

  328. 		HASH_ITER(hh, blacklists, bl, tmp) {

  329. 			HASH_DEL(blacklists, bl);

  330. 			free(bl);

  331. 		}

  332. 	}

  333. }

  334. 

  335. int dp_blacklist_check(dp_conf *conf, unsigned char *remoteid, int len) {

  336. 	dp_blacklist *bl;

  337. 

  338. 	HASH_FIND(hh, blacklists, remoteid, len, bl);

  339. 

  340. 	if ( bl ) {

  341. 		if(conf->debug) printf("found item\n");

  342. 

  343. 		if ( bl->count > conf->pktint ) {

  344. 			if(conf->debug) printf("flood detected!\n");

  345. 			return NF_DROP;

  346. 		}

  347. 	}

  348. }