public
/
dhcp_protect
Observar 1
Favorito 0
Fork 0
Código Issues 0 Pull requests 0 Versões 2 Wiki Atividade
A userspace application that filters DHCP floods to protect a DHCP server. It uses the Netfilter userspace packet queuing API.
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
8 Commits
1 Branch
Tag: 6de1a8765a
Branches Tags
${ item.name }
Criar branch ${ searchTerm }
de 6de1a8765a
${ noResults }
dhcp_protect/dhcp_protect.c

dhcp_protect.c 11KB
Original Anotar Histórico

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484 
  1. // dhcp_protect.c

  2. 

  3. #include <stdio.h>

  4. #include <stdlib.h>

  5. #include <string.h>

  6. #include <unistd.h>

  7. #include <stdint.h>

  8. #include <errno.h>

  9. #include <time.h>

  10. #include <stdarg.h>

  11. #include <syslog.h>

  12. #include <arpa/inet.h>

  13. 

  14. #include <linux/netfilter.h>

  15. #include <libnetfilter_queue/libnetfilter_queue.h>

  16. 

  17. #include <uthash.h>

  18. 

  19. #include "dhcp_protect.h"

  20. 

  21. // main function

  22. int main(int argc, char **argv) {

  23. 	char *configfile;

  24. 	dp_conf conf;

  25. 

  26. 	if ( argc == 2 ) {

  27. 		configfile = argv[1];

  28. 	}

  29. 	else {

  30. 		usage(argv[0]);

  31. 		return EXIT_FAILURE;

  32. 	}

  33. 

  34. 	if ( load_config(&conf, configfile) == NULL )

  35. 		return EXIT_FAILURE;

  36. 

  37. 	openlog("dhcp_protect", LOG_PID, LOG_DAEMON);

  38. 

  39. 	nfq_start(&conf);

  40. 

  41. 	return 0;

  42. }

  43. 

  44. // syslog function

  45. void dp_log(unsigned char *remoteid, int remoteidlen, char *fmt, ...) {

  46. 	va_list argList;

  47. 	char buf[1000];

  48. 	int offset = remoteidlen*2;

  49. 	int i;

  50. 

  51. 	for(i=0; i<remoteidlen; i++) {

  52. 		sprintf(buf+(i*2), "%02x", remoteid[i]);

  53. 	}

  54. 	buf[offset]=':'; offset++;

  55. 	buf[offset]=' '; offset++;

  56. 

  57. 	va_start(argList, fmt);

  58. 	vsnprintf(buf+offset, sizeof(buf)-offset-1, fmt, argList);

  59. 	va_end(argList);

  60. 

  61. 	syslog(LOG_DAEMON|LOG_INFO, "%s", buf);

  62. }

  63. 

  64. // start netfilter queue

  65. void nfq_start(dp_conf *conf) {

  66. 	struct nfq_handle *h;

  67. 	struct nfq_q_handle *qh;

  68. 	int fd;

  69. 

  70. 	if ( ( h = nfq_open() ) == NULL ) {

  71. 		fprintf(stderr,"error during nfq_open() %s\n", strerror(errno));

  72. 		return;

  73. 	}

  74. 

  75. 	if ( ( qh = nfq_create_queue(h, conf->queue, &dp_callback, conf) ) == NULL ) {

  76. 		fprintf(stderr, "error during nfq_create_queue() %s\n", strerror(errno));

  77. 		return;

  78. 	}

  79. 

  80. 	if ( nfq_set_mode(qh, NFQNL_COPY_PACKET, 1500) < 0 ) {

  81. 		fprintf(stderr,"error during nfq_set_mode() %s\n", strerror(errno));

  82. 		return;

  83. 	}

  84. 

  85. 	if ( nfq_set_queue_flags(qh, NFQA_CFG_F_FAIL_OPEN, NFQA_CFG_F_FAIL_OPEN) < 0 ) {

  86. 		fprintf(stderr,"error during nfq_set_queue_flags() %s\n", strerror(errno));

  87. 		return;

  88. 	}

  89. 

  90. 	fd = nfq_fd(h);

  91. 

  92. 	while(1) {

  93. 		static char buf[65536];

  94. 		int rv;

  95. 

  96. 		if ((rv = recv(fd, buf, sizeof(buf), 0)) >= 0) {

  97. 			nfq_handle_packet(h, buf, rv); /* send packet to callback */

  98. 		}

  99. 	}

  100. }

  101. 

  102. // display usage

  103. void usage(char *prog) {

  104. 	fprintf(stderr,"Usage: %s <configuration file>\n",prog);

  105. }

  106. 

  107. 

  108. // load configuration file

  109. dp_conf *load_config(dp_conf *conf, char *file) {

  110. 	FILE *fh;

  111. 	char *line = NULL;

  112. 	size_t len = 0;

  113. 	int error = 0;

  114. 

  115. 	printf("Loading configuration %s\n",file);

  116. 	

  117. 

  118. 	if ( ( fh = fopen(file,"r") ) == NULL ) {

  119. 		fprintf(stderr,"Failed to open configuration file '%s': %s\n", file, strerror(errno));

  120. 		return NULL;

  121. 	}

  122. 

  123. 	while (getline(&line, &len, fh) != -1) {

  124. 		char *name, *value;

  125. 

  126. 		name  = strtok(line, "=\r\n ");

  127. 		value = strtok(NULL,"=\r\n ");

  128. 

  129. 		if ( name == NULL || value == NULL || name[0] == '#' )

  130. 			continue;

  131. 

  132. 		if ( strcmp(name,"max_pkt_per_interval")==0 )

  133. 			conf->pktint = atoi(value);

  134. 		else if ( strcmp(name,"interval")==0 )

  135. 			conf->interval = atoi(value);

  136. 		else if ( strcmp(name, "debug")==0 )

  137. 			conf->debug = atoi(value) ? 1 : 0;

  138. 		else if ( strcmp(name, "blacklist_time")==0 )

  139. 			conf->bltime = atoi(value);

  140. 		else if ( strcmp(name, "queue")==0 )

  141. 			conf->queue = atoi(value);

  142. 		else if ( strcmp(name, "dryrun")==0 )

  143. 			conf->dryrun = atoi(value) ? 1 : 0;

  144. 		else

  145. 			fprintf(stderr,"unknown directive '%s', ignored\n", name);

  146. 

  147. 		free(line);

  148. 	}

  149. 	fclose(fh);

  150. 

  151. 	if ( conf->pktint < 1 || conf->pktint > 1000 ) {

  152. 		fprintf(stderr,"max_pkt_per_interval value invalid (min 1, max 1000)\n");

  153. 		error=1;

  154. 	}

  155. 	if ( conf->interval < 5 || conf->interval > 900 ) {

  156. 		fprintf(stderr,"interval value invalid (min 5, max 900)\n");

  157. 		error=1;

  158. 	}

  159. 	if ( conf->debug < 0 || conf->debug > 1 ) {

  160. 		fprintf(stderr,"debug value invalid (0 or 1)\n");

  161. 		error=1;

  162. 	}

  163. 	if ( conf->bltime < 10 || conf->bltime > 900 ) {

  164. 		fprintf(stderr,"blacklist_time value invalid (min 10, max 900)\n");

  165. 		error=1;

  166. 	}

  167. 	if ( conf->queue < 0 ) {

  168. 		fprintf(stderr,"queue must be a positive integer\n");

  169. 		error=1;

  170. 	}

  171. 	if ( conf->dryrun < 0 || conf->dryrun > 1 ) {

  172. 		fprintf(stderr, "dryrun value invalid (0 or 1)\n");

  173. 		error=1;

  174. 	}

  175. 

  176. 	if ( error )

  177. 		return NULL;

  178. 

  179. 	printf("Configuration:\n");

  180. 	printf("\t%-20s = %4s\n", "dryrun", conf->dryrun ? "Yes" : "No");

  181. 	printf("\t%-20s = %4s\n", "debug", conf->debug ? "Yes" : "No" );

  182. 	printf("\t%-20s = %4is\n", "interval", conf->interval);

  183. 	printf("\t%-20s = %4i\n", "max_pkt_per_interval", conf->pktint);

  184. 	printf("\t%-20s = %4is\n", "blacklist_time", conf->bltime);

  185. 	printf("\t%-20s = %4i\n", "queue", conf->queue);

  186. 

  187. 

  188. 	return conf;

  189. }

  190. 

  191. // decode dhcp packet

  192. int dhcp_check(struct nfq_data *nfa, dp_conf *conf) {

  193. 	unsigned char *pkt;

  194. 	int pktlen;

  195. 	int offset = 0;

  196. 	unsigned char *remoteid;

  197. 	int remoteidlen = 0;

  198. 	int found = 0;

  199. 	uint8_t ipver = 0;

  200. 	uint8_t ihl = 0;

  201. 	//int i;

  202. 	int rv = NF_ACCEPT;

  203. 

  204. 	pktlen = nfq_get_payload(nfa, &pkt);

  205. 

  206. 	if ( conf->debug ) printf("got a packet, len = %i\n", pktlen);

  207. 

  208. 	/* a bit too much ;)

  209. 	if ( conf->debug ) {

  210. 		for(i=0; i<pktlen; i++) {

  211. 			if ( !(i%16) ) printf("\n");

  212. 			printf("%02x ", pkt[i]);

  213. 		}

  214. 	}

  215. 	*/

  216. 

  217. 	// can we read the IP proto and IP header length ?

  218. 	if ( pktlen > 0 ) {

  219. 		ipver = pkt[offset];

  220. 		ipver >>= 4;

  221. 		ihl   = pkt[offset];

  222. 		ihl  &= 0x0f;

  223. 

  224. 		if ( ipver != 4 ) {

  225. 			if ( conf->debug ) printf("not an IPv4 packet\n");

  226. 			rv = NF_ACCEPT;

  227. 			goto end;

  228. 		}

  229. 

  230. 		// jump over the IPv4 header

  231. 		offset += ihl * 4;

  232. 	}

  233. 

  234. 

  235. 	// jump over UDP + DHCP header

  236. 	offset += 8 + 28 + 16 + 64 + 128;

  237. 

  238. 	// minimum packet size, fixed header + magic cookie (4 octets)

  239. 	if ( pktlen < offset + 4 ) {

  240. 		if ( conf->debug ) printf("packet too small\n");

  241. 		rv = NF_ACCEPT;

  242. 		goto end;

  243. 	}

  244. 

  245. 	// check magic cookie

  246. 	if ( pkt[offset] != 99 || pkt[offset+1] != 130 || pkt[offset+2] != 83 || pkt[offset+3] != 99 ) {

  247. 		if ( conf->debug )

  248. 			printf(

  249. 				"invalid magic cookie %02x%02x%02x%02x\n",

  250. 				pkt[offset], pkt[offset+1],

  251. 				pkt[offset+2], pkt[offset+3]);

  252. 

  253. 		rv = NF_ACCEPT;

  254. 		goto end;

  255. 	}

  256. 	offset+=4;

  257. 

  258. 

  259. 	// parse TLV options

  260. 	while(offset<pktlen && !found) {

  261. 		uint8_t type = pkt[offset];

  262. 		uint8_t len;

  263. 

  264. 		offset++;

  265. 

  266. 		// printf("type : %i\n",type);

  267. 

  268. 		// padding of 1 octet

  269. 		if ( type == 0 ) {

  270. 			continue;

  271. 		}

  272. 

  273. 		// end of options

  274. 		if ( type == 255 )

  275. 			break;

  276. 

  277. 		// make sure we can read len

  278. 		if ( offset>=pktlen )

  279. 			break;

  280. 

  281. 		len = pkt[offset];

  282. 		offset++;

  283. 

  284. 		// printf("len  : %i\n", len);

  285. 

  286. 		// can the value be read

  287. 		if ( offset+len>=pktlen )

  288. 			break;

  289. 

  290. 		// option 82 parser

  291. 		if ( type == 82 ) {

  292. 			unsigned char *o82 = pkt+offset;

  293. 			int o82off = 0;

  294. 

  295. 			// loop until the end, +2 to ensure we can read type and length

  296. 			while(o82off+2<len && !found) {

  297. 				uint8_t otype = o82[o82off];

  298. 				uint8_t olen  = o82[o82off+1];

  299. 				o82off+=2;

  300. 

  301. 				// printf("o82 type=%i len=%i\n", otype, olen);

  302. 

  303. 				// remoteid

  304. 				if ( otype == 2 ) {

  305. 					// make sure we don't overflow and can read all data

  306. 					if ( o82off + olen > len ) {

  307. 						if ( conf->debug) printf("option 82.2 data too long\n");

  308. 						rv = NF_ACCEPT;

  309. 						goto end;

  310. 					}

  311. 					else {

  312. 						remoteid = o82 + o82off;

  313. 						remoteidlen = olen;

  314. 						found=1;

  315. 					}

  316. 				}

  317. 

  318. 				o82off+=olen;

  319. 			}

  320. 		}

  321. 

  322. 		offset+=len;

  323. 	}

  324. 

  325. 	if ( found ) {

  326. 		// count the packet, even when blacklisted.

  327. 		dp_accounting_add(conf, remoteid, remoteidlen);

  328. 

  329. 		// check if already in the blacklist

  330. 		if ( dp_blacklist_check(conf, remoteid, remoteidlen) == NF_DROP )

  331. 			rv = NF_DROP;

  332. 

  333. 		// check if it must be added to the blacklist

  334. 		else if ( dp_accounting_check(conf, remoteid, remoteidlen) == NF_DROP ) {

  335. 			dp_blacklist_add(conf, remoteid, remoteidlen);

  336. 			rv = NF_DROP;

  337. 		}

  338. 	}

  339. 

  340. 	end:

  341. 

  342. 	dp_hash_cleanup(conf);

  343. 

  344. 	return rv;

  345. }

  346. 

  347. // netfilter queue callback

  348. static int dp_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) {

  349. 	struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfa);

  350. 	dp_conf *conf = (dp_conf*)data;

  351. 	int id;

  352. 	int verdict;

  353. 

  354. 	if ( ph ) {

  355. 		id = ntohl (ph->packet_id);

  356. 		if ( conf->debug ) printf ("received packet with id %d\n", id);

  357. 	}

  358. 

  359. 	verdict = dhcp_check(nfa, conf); /* Treat packet */

  360. 

  361. 	// override decision for dryrun

  362. 	if ( conf->dryrun )

  363. 		verdict = NF_ACCEPT;

  364. 

  365. 	return nfq_set_verdict(qh, id, verdict, 0, NULL); /* Verdict packet */

  366. }

  367. 

  368. void dp_accounting_add(dp_conf *conf, unsigned char *remoteid, int len) {

  369. 	//int i;

  370. 	dp_accounting *ac;

  371. 

  372. 	// does the element already exist

  373. 	HASH_FIND(hh, accountings, remoteid, len, ac);

  374. 

  375. 	if ( conf->debug ) printf("AC: add item\n");

  376. 

  377. 	// found it, increment the counter

  378. 	if ( ac ) {

  379. 		if ( conf->debug ) printf("AC: item found, incrementing\n");

  380. 		ac->count++;

  381. 	}

  382. 	// not found, create a new one

  383. 	else {

  384. 		if ( conf->debug ) printf("AC: item not found, creating\n");

  385. 		ac = malloc(sizeof(dp_accounting));

  386. 

  387. 		memcpy(ac->remoteid, remoteid, len);

  388. 		ac->len = len;

  389. 		ac->count = 1;

  390. 

  391. 		HASH_ADD(hh, accountings, remoteid, len, ac);

  392. 	}

  393. }

  394. 

  395. void dp_blacklist_add(dp_conf *conf, unsigned char *remoteid, int len) {

  396. 	dp_blacklist *bl;

  397. 

  398. 	// alrady exists?

  399. 	HASH_FIND(hh, blacklists, remoteid, len, bl);

  400. 

  401. 	if ( conf->debug ) printf("BL: add item\n");

  402. 

  403. 	// found an entry, push the expiration further

  404. 	if ( bl ) {

  405. 		if ( conf->debug ) printf("BL: item found -> pushing further\n");

  406. 		bl->expire = time(NULL) + conf->bltime;

  407. 	}

  408. 	// not found, create a new one

  409. 	else {

  410. 		if ( conf->debug ) printf("BL: item not found, new entry in BL\n");

  411. 		dp_log(remoteid, len, "blacklisting started");

  412. 		bl = malloc(sizeof(dp_blacklist));

  413. 		memcpy(bl->remoteid, remoteid, len);

  414. 		bl->len = len;

  415. 		bl->expire = time(NULL) + conf->bltime;

  416. 		HASH_ADD(hh, blacklists, remoteid, len, bl);

  417. 	}

  418. }

  419. 

  420. void dp_hash_cleanup(dp_conf *conf) {

  421. 	dp_accounting *ac, *actmp;

  422. 	dp_blacklist *bl, *bltmp;

  423. 

  424. 	// is it time to cleanup the list?

  425. 	// cleanup every conf->interval seconds 

  426. 	if ( dp_accountingtime + conf->interval < time(NULL) ) {

  427. 		if ( conf->debug ) printf("cleanup interval\n");

  428. 		dp_accountingtime = time(NULL);

  429. 		HASH_ITER(hh, accountings, ac, actmp) {

  430. 			HASH_DEL(accountings, ac);

  431. 			free(ac);

  432. 		}

  433. 	}

  434. 

  435. 	// blacklist cleanup check every 1 sec

  436. 	if ( dp_cleanuptime < time(NULL) ) {

  437. 		if ( conf->debug ) printf("cleanup BL\n");

  438. 		dp_cleanuptime = time(NULL);

  439. 		HASH_ITER(hh, blacklists, bl, bltmp) {

  440. 			if ( bl->expire < time(NULL) ) {

  441. 				dp_log(

  442. 					bl->remoteid, bl->len, 

  443. 					"blacklisting ended");

  444. 				HASH_DEL(blacklists, bl);

  445. 				free(bl);

  446. 			}

  447. 		}

  448. 	}

  449. }

  450. 

  451. int dp_accounting_check(dp_conf *conf, unsigned char *remoteid, int len) {

  452. 	dp_accounting *ac;

  453. 

  454. 	HASH_FIND(hh, accountings, remoteid, len, ac);

  455. 

  456. 	if ( conf->debug ) printf("AC Check\n");

  457. 

  458. 	if ( ac ) {

  459. 		if(conf->debug) printf("AC Check: found item %i > %i ?\n", ac->count, conf->pktint);

  460. 

  461. 		if ( ac->count > conf->pktint ) {

  462. 			if(conf->debug) printf("flood detected!\n");

  463. 			return NF_DROP;

  464. 		}

  465. 	}

  466. 	return NF_ACCEPT;

  467. }

  468. 

  469. int dp_blacklist_check(dp_conf *conf, unsigned char *remoteid, int len) {

  470. 	dp_blacklist *bl;

  471. 

  472. 	HASH_FIND(hh, blacklists, remoteid, len, bl);

  473. 

  474. 	if ( conf->debug ) printf("BL Check\n");

  475. 

  476. 	if ( bl ) {

  477. 

  478. 		if ( bl->expire > time(NULL) ) {

  479. 			if ( conf->debug ) printf("blacklisted!\n");

  480. 			return NF_DROP;

  481. 		}

  482. 	}

  483. 	return NF_ACCEPT;

  484. }