public
/
dhcp_protect
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
A userspace application that filters DHCP floods to protect a DHCP server. It uses the Netfilter userspace packet queuing API.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
25 Commits
1 Branch
Tree: b9d5197413
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b9d5197413'
${ noResults }
dhcp_protect/dhcp_protect.c

dhcp_protect.c 13KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554 
  1. //   DHCP Protect

  2. //

  3. //   Copyright 2019 Pascal Gloor

  4. //

  5. //   Licensed under the Apache License, Version 2.0 (the "License");

  6. //   you may not use this file except in compliance with the License.

  7. //   You may obtain a copy of the License at

  8. //

  9. //     http://www.apache.org/licenses/LICENSE-2.0

  10. //

  11. //   Unless required by applicable law or agreed to in writing, software

  12. //   distributed under the License is distributed on an "AS IS" BASIS,

  13. //   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. //   See the License for the specific language governing permissions and

  15. //   limitations under the License.

  16. 

  17. 

  18. #include <stdio.h>

  19. #include <stdlib.h>

  20. #include <string.h>

  21. #include <unistd.h>

  22. #include <stdint.h>

  23. #include <errno.h>

  24. #include <time.h>

  25. #include <stdarg.h>

  26. #include <syslog.h>

  27. #include <arpa/inet.h>

  28. 

  29. #include <linux/netfilter.h>

  30. #include <libnetfilter_queue/libnetfilter_queue.h>

  31. 

  32. #include <uthash.h>

  33. 

  34. #include "dhcp_protect.h"

  35. 

  36. // main function

  37. int main(int argc, char **argv) {

  38. 	char *configfile;

  39. 	dp_conf conf;

  40. 

  41. 	if ( argc == 2 ) {

  42. 		configfile = argv[1];

  43. 	}

  44. 	else {

  45. 		dp_usage(argv[0]);

  46. 		return EXIT_FAILURE;

  47. 	}

  48. 

  49. 	if ( dp_load_config(&conf, configfile) == NULL )

  50. 		return EXIT_FAILURE;

  51. 

  52. 	openlog("dhcp_protect", LOG_PID, LOG_DAEMON);

  53. 

  54. 	dp_nfq_start(&conf);

  55. 

  56. 	return 0;

  57. }

  58. 

  59. // syslog function

  60. void dp_log(unsigned char *remoteid, int remoteidlen, char *fmt, ...) {

  61. 	va_list argList;

  62. 	char buf[1000];

  63. 	int offset = remoteidlen*2;

  64. 	int i;

  65. 

  66. 	for(i=0; i<remoteidlen; i++) {

  67. 		sprintf(buf+(i*2), "%02x", remoteid[i]);

  68. 	}

  69. 	buf[offset]=':'; offset++;

  70. 	buf[offset]=' '; offset++;

  71. 

  72. 	va_start(argList, fmt);

  73. 	vsnprintf(buf+offset, sizeof(buf)-offset-1, fmt, argList);

  74. 	va_end(argList);

  75. 

  76. 	syslog(LOG_DAEMON|LOG_INFO, "%s", buf);

  77. }

  78. 

  79. // start netfilter queue

  80. void dp_nfq_start(dp_conf *conf) {

  81. 	struct nfq_handle *h;

  82. 	struct nfq_q_handle *qh;

  83. 	int fd;

  84. 

  85. 	if ( ( h = nfq_open() ) == NULL ) {

  86. 		fprintf(stderr,"error during nfq_open() %s\n", strerror(errno));

  87. 		return;

  88. 	}

  89. 

  90. 	if ( ( qh = nfq_create_queue(h, conf->queue, &dp_callback, conf) ) == NULL ) {

  91. 		fprintf(stderr, "error during nfq_create_queue() %s\n", strerror(errno));

  92. 		return;

  93. 	}

  94. 

  95. 	if ( nfq_set_mode(qh, NFQNL_COPY_PACKET, 1500) < 0 ) {

  96. 		fprintf(stderr,"error during nfq_set_mode() %s\n", strerror(errno));

  97. 		return;

  98. 	}

  99. 

  100. 	if ( nfq_set_queue_flags(qh, NFQA_CFG_F_FAIL_OPEN, NFQA_CFG_F_FAIL_OPEN) < 0 ) {

  101. 		fprintf(stderr,"error during nfq_set_queue_flags() %s\n", strerror(errno));

  102. 		return;

  103. 	}

  104. 

  105. 	fd = nfq_fd(h);

  106. 

  107. 	while(1) {

  108. 		static char buf[65536];

  109. 		int rv;

  110. 

  111. 		rv = recv(fd, buf, sizeof(buf), 0);

  112. 

  113. 		switch(rv) {

  114. 			case -1:

  115. 				fprintf(stderr, "recv() error: %s\n", strerror(errno));

  116. 				return;

  117. 			case 0:

  118. 				fprintf(stderr,"socket is closed!?\n");

  119. 				return;

  120. 			default:

  121. 				// send packet to callback

  122. 				nfq_handle_packet(h, buf, rv);

  123. 				break;

  124. 		}

  125. 	}

  126. }

  127. 

  128. // display usage

  129. void dp_usage(char *prog) {

  130. 	fprintf(stderr,"Usage: %s <configuration file>\n",prog);

  131. }

  132. 

  133. 

  134. // load configuration file

  135. dp_conf *dp_load_config(dp_conf *conf, char *file) {

  136. 	FILE *fh;

  137. 	char *line = NULL;

  138. 	size_t len = 0;

  139. 	int error = 0;

  140. 

  141. 	printf("Loading configuration %s\n",file);

  142. 	

  143. 

  144. 	if ( ( fh = fopen(file,"r") ) == NULL ) {

  145. 		fprintf(stderr,"Failed to open configuration file '%s': %s\n", file, strerror(errno));

  146. 		return NULL;

  147. 	}

  148. 

  149. 	while (getline(&line, &len, fh) != -1) {

  150. 		char *name, *value;

  151. 

  152. 		name  = strtok(line, "=\r\n ");

  153. 		value = strtok(NULL,"=\r\n ");

  154. 

  155. 		if ( name == NULL || value == NULL || name[0] == '#' )

  156. 			continue;

  157. 

  158. 		if ( strcmp(name,"max_pkt_per_interval")==0 )

  159. 			conf->pktint = atoi(value);

  160. 		else if ( strcmp(name,"interval")==0 )

  161. 			conf->interval = atoi(value);

  162. 		else if ( strcmp(name, "debug")==0 )

  163. 			conf->debug = atoi(value) ? 1 : 0;

  164. 		else if ( strcmp(name, "blacklist_time")==0 )

  165. 			conf->bltime = atoi(value);

  166. 		else if ( strcmp(name, "queue")==0 )

  167. 			conf->queue = atoi(value);

  168. 		else if ( strcmp(name, "dryrun")==0 )

  169. 			conf->dryrun = atoi(value) ? 1 : 0;

  170. 		else

  171. 			fprintf(stderr,"unknown directive '%s', ignored\n", name);

  172. 

  173. 		free(line);

  174. 	}

  175. 	fclose(fh);

  176. 

  177. 	if ( conf->pktint < 1 || conf->pktint > 1000 ) {

  178. 		fprintf(stderr,"max_pkt_per_interval value invalid (min 1, max 1000)\n");

  179. 		error=1;

  180. 	}

  181. 	if ( conf->interval < 5 || conf->interval > 900 ) {

  182. 		fprintf(stderr,"interval value invalid (min 5, max 900)\n");

  183. 		error=1;

  184. 	}

  185. 	if ( conf->debug < 0 || conf->debug > 1 ) {

  186. 		fprintf(stderr,"debug value invalid (0 or 1)\n");

  187. 		error=1;

  188. 	}

  189. 	if ( conf->bltime < 10 || conf->bltime > 900 ) {

  190. 		fprintf(stderr,"blacklist_time value invalid (min 10, max 900)\n");

  191. 		error=1;

  192. 	}

  193. 	if ( conf->queue < 0 ) {

  194. 		fprintf(stderr,"queue must be a positive integer\n");

  195. 		error=1;

  196. 	}

  197. 	if ( conf->dryrun < 0 || conf->dryrun > 1 ) {

  198. 		fprintf(stderr, "dryrun value invalid (0 or 1)\n");

  199. 		error=1;

  200. 	}

  201. 

  202. 	if ( error )

  203. 		return NULL;

  204. 

  205. 	printf("Configuration:\n");

  206. 	printf("\t%-20s = %4s\n", "dryrun", conf->dryrun ? "Yes" : "No");

  207. 	printf("\t%-20s = %4s\n", "debug", conf->debug ? "Yes" : "No" );

  208. 	printf("\t%-20s = %4is\n", "interval", conf->interval);

  209. 	printf("\t%-20s = %4i\n", "max_pkt_per_interval", conf->pktint);

  210. 	printf("\t%-20s = %4is\n", "blacklist_time", conf->bltime);

  211. 	printf("\t%-20s = %4i\n", "queue", conf->queue);

  212. 

  213. 

  214. 	return conf;

  215. }

  216. 

  217. // decode dhcp packet

  218. int dp_dhcp_check(struct nfq_data *nfa, dp_conf *conf) {

  219. 	unsigned char *pkt;

  220. 	int pktlen;

  221. 	int offset = 0;

  222. 	unsigned char *remoteid = NULL;

  223. 	int remoteidlen = 0;

  224. 	int rv = NF_ACCEPT;

  225. 

  226. 	pktlen = nfq_get_payload(nfa, &pkt);

  227. 

  228. 	if ( conf->debug ) printf("got a packet, len = %i\n", pktlen);

  229. 

  230. 	// can we read the IP proto and IP header length ?

  231. 	if ( pktlen > 0 ) {

  232. 		uint8_t ipver;

  233. 		uint8_t ihl;

  234. 

  235. 		ipver = pkt[offset];

  236. 		ipver >>= 4;

  237. 		ihl   = pkt[offset];

  238. 		ihl  &= 0x0f;

  239. 

  240. 		if ( ipver == 4 ) {

  241. 			// jump to DHCPv4

  242. 			offset += ( ihl * 4 ) + 8;

  243. 			dp_dhcpv4_check(conf, pkt, pktlen, offset, &remoteid, &remoteidlen);

  244. 		}

  245. 		else if ( ipver == 6 ) {

  246. 			// jump to DHCPv6

  247. 			offset += 40 + 8;

  248. 			dp_dhcpv6_check(conf, pkt, pktlen, offset, &remoteid, &remoteidlen);

  249. 		}

  250. 		else {		

  251. 			if ( conf->debug ) printf("not an IPv4 packet\n");

  252. 			goto end;

  253. 		}

  254. 	}

  255. 

  256. 	if ( remoteidlen>0 ) {

  257. 		if ( conf->debug ) {

  258. 			int i;

  259. 			printf("remoteid: ");

  260. 			for(i=0; i<remoteidlen; i++)

  261. 				printf("%02x", remoteid[i]);

  262. 			printf("\n");

  263. 		}

  264. 		// count the packet, even when blacklisted.

  265. 		dp_accounting_add(conf, remoteid, remoteidlen);

  266. 

  267. 		// check if already in the blacklist

  268. 		if ( dp_blacklist_check(conf, remoteid, remoteidlen) == NF_DROP )

  269. 			rv = NF_DROP;

  270. 

  271. 		// check if it must be added to the blacklist

  272. 		else if ( dp_accounting_check(conf, remoteid, remoteidlen) == NF_DROP ) {

  273. 			dp_blacklist_add(conf, remoteid, remoteidlen);

  274. 			rv = NF_DROP;

  275. 		}

  276. 	}

  277. 

  278. 	end:

  279. 

  280. 	dp_hash_cleanup(conf);

  281. 

  282. 	return rv;

  283. }

  284. 

  285. void dp_dhcpv6_check(dp_conf *conf, unsigned char *pkt, int pktlen, int offset, unsigned char **remoteid, int *remoteidlen) {

  286. 

  287. 	while(offset<pktlen) {

  288. 		uint8_t msgtype = (uint8_t)pkt[offset];

  289. 

  290. 		switch(msgtype) {

  291. 			case 11: // RELAY-FORW

  292. 			case 12: // RELAY-REPL

  293. 				offset += 2 + 16 + 16; // msg-type, hop-count, link-addr, peer-addr

  294. 				break;

  295. 			default: // all other msgtypes

  296. 				offset += 2; // msg-type, hop-count

  297. 		}

  298. 

  299. 		while(offset+1<pktlen) {

  300. 			uint8_t code = (uint8_t)pkt[offset];

  301. 			uint8_t len  = (uint8_t)pkt[offset+1];

  302. 

  303. 			offset+=2;

  304. 

  305. 			if ( code == 1 ) { // Client identifier / DUID

  306. 				// make sure there's enough space

  307. 				if ( offset + len <= pktlen ) {

  308. 					*remoteid = pkt+offset;

  309. 					*remoteidlen = len;

  310. 					break;

  311. 				}

  312. 			}

  313. 			offset+=len;

  314. 		}

  315. 

  316. 		if ( *remoteidlen>0 )

  317. 			break;

  318. 	}

  319. }

  320. 

  321. 

  322. void dp_dhcpv4_check(dp_conf *conf, unsigned char *pkt, int pktlen, int offset, unsigned char **remoteid, int *remoteidlen) {

  323. 	int hwaddrpos = offset + 28; // remember where the hw addr is if we need to fallback to it

  324. 	int hwlenpos = offset + 2;   // remember where the hw addr len is if we need to fallback to it

  325. 

  326. 	// jump DHCP header

  327. 	offset += 28 + 16 + 64 + 128;

  328. 

  329. 	// minimum packet size, fixed header + magic cookie (4 octets)

  330. 	if ( pktlen < offset + 4 ) {

  331. 		if ( conf->debug ) printf("packet too small\n");

  332. 		return;

  333. 	}

  334. 

  335. 	// check magic cookie

  336. 	if ( pkt[offset] != 99 || pkt[offset+1] != 130 || pkt[offset+2] != 83 || pkt[offset+3] != 99 ) {

  337. 		if ( conf->debug )

  338. 			printf(

  339. 				"invalid magic cookie %02x%02x%02x%02x\n",

  340. 				pkt[offset], pkt[offset+1],

  341. 				pkt[offset+2], pkt[offset+3]);

  342. 		return;

  343. 	}

  344. 	offset+=4;

  345. 

  346. 

  347. 	// parse TLV options

  348. 	while(offset<pktlen && remoteidlen==0) {

  349. 		uint8_t type = pkt[offset];

  350. 		uint8_t len;

  351. 

  352. 		offset++;

  353. 

  354. 		// padding of 1 octet

  355. 		if ( type == 0 ) {

  356. 			continue;

  357. 		}

  358. 

  359. 		// end of options

  360. 		if ( type == 255 )

  361. 			break;

  362. 

  363. 		// make sure we can read len

  364. 		if ( offset>=pktlen )

  365. 			break;

  366. 

  367. 		len = pkt[offset];

  368. 		offset++;

  369. 

  370. 		// can the value be read

  371. 		if ( offset+len>pktlen )

  372. 			break;

  373. 

  374. 		// option 82 parser

  375. 		if ( type == 82 ) {

  376. 			unsigned char *o82 = pkt+offset;

  377. 			int o82off = 0;

  378. 

  379. 			// loop until the end, +2 to ensure we can read type and length

  380. 			while(o82off+2<len && remoteidlen==0) {

  381. 				uint8_t otype = o82[o82off];

  382. 				uint8_t olen  = o82[o82off+1];

  383. 				o82off+=2;

  384. 

  385. 				// printf("o82 type=%i len=%i\n", otype, olen);

  386. 

  387. 				// remoteid

  388. 				if ( otype == 2 ) {

  389. 					// make sure we don't overflow and can read all data

  390. 					if ( o82off + olen > len ) {

  391. 						if ( conf->debug) printf("option 82.2 data too long\n");

  392. 						break;

  393. 					}

  394. 					else {

  395. 						*remoteid = o82 + o82off;

  396. 						*remoteidlen = olen;

  397. 					}

  398. 				}

  399. 

  400. 				o82off+=olen;

  401. 			}

  402. 		}

  403. 

  404. 		offset+=len;

  405. 	}

  406. 

  407. 	// if we didn't find opt82.2, we fallback to the hw addr

  408. 	if ( *remoteidlen == 0 ) {

  409. 		// nope, we won't overflow

  410. 		if ( (uint8_t)pkt[hwlenpos] <= 16 ) {

  411. 			*remoteid = pkt+hwaddrpos;

  412. 			*remoteidlen = (uint8_t)pkt[hwlenpos];

  413. 		}

  414. 	}

  415. }

  416. 

  417. // netfilter queue callback

  418. static int dp_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) {

  419. 	struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfa);

  420. 	dp_conf *conf = (dp_conf*)data;

  421. 	int id = -1;

  422. 	int verdict;

  423. 

  424. 	if ( ph ) {

  425. 		id = ntohl (ph->packet_id);

  426. 		if ( conf->debug ) printf ("received packet with id %d\n", id);

  427. 	}

  428. 

  429. 	verdict = dp_dhcp_check(nfa, conf); /* Treat packet */

  430. 

  431. 	// override decision for dryrun

  432. 	if ( conf->dryrun )

  433. 		verdict = NF_ACCEPT;

  434. 

  435. 	return nfq_set_verdict(qh, id, verdict, 0, NULL); /* Verdict packet */

  436. }

  437. 

  438. void dp_accounting_add(dp_conf *conf, unsigned char *remoteid, int len) {

  439. 	//int i;

  440. 	dp_accounting *ac;

  441. 

  442. 	// does the element already exist

  443. 	HASH_FIND(hh, accountings, remoteid, len, ac);

  444. 

  445. 	if ( conf->debug ) printf("AC: add item\n");

  446. 

  447. 	// found it, increment the counter

  448. 	if ( ac ) {

  449. 		if ( conf->debug ) printf("AC: item found, incrementing\n");

  450. 		ac->count++;

  451. 	}

  452. 	// not found, create a new one

  453. 	else {

  454. 		if ( conf->debug ) printf("AC: item not found, creating\n");

  455. 		ac = malloc(sizeof(dp_accounting));

  456. 

  457. 		memcpy(ac->remoteid, remoteid, len);

  458. 		ac->len = len;

  459. 		ac->count = 1;

  460. 

  461. 		HASH_ADD(hh, accountings, remoteid, len, ac);

  462. 	}

  463. }

  464. 

  465. void dp_blacklist_add(dp_conf *conf, unsigned char *remoteid, int len) {

  466. 	dp_blacklist *bl;

  467. 

  468. 	// alrady exists?

  469. 	HASH_FIND(hh, blacklists, remoteid, len, bl);

  470. 

  471. 	if ( conf->debug ) printf("BL: add item\n");

  472. 

  473. 	// found an entry, push the expiration further

  474. 	if ( bl ) {

  475. 		if ( conf->debug ) printf("BL: item found -> pushing further\n");

  476. 		bl->expire = time(NULL) + conf->bltime;

  477. 	}

  478. 	// not found, create a new one

  479. 	else {

  480. 		if ( conf->debug ) printf("BL: item not found, new entry in BL\n");

  481. 		dp_log(remoteid, len, "blacklisting started");

  482. 		bl = malloc(sizeof(dp_blacklist));

  483. 		memcpy(bl->remoteid, remoteid, len);

  484. 		bl->len = len;

  485. 		bl->expire = time(NULL) + conf->bltime;

  486. 		HASH_ADD(hh, blacklists, remoteid, len, bl);

  487. 	}

  488. }

  489. 

  490. void dp_hash_cleanup(dp_conf *conf) {

  491. 	dp_accounting *ac, *actmp;

  492. 	dp_blacklist *bl, *bltmp;

  493. 

  494. 	// is it time to cleanup the list?

  495. 	// cleanup every conf->interval seconds 

  496. 	if ( dp_accountingtime + conf->interval < time(NULL) ) {

  497. 		if ( conf->debug ) printf("cleanup interval\n");

  498. 		dp_accountingtime = time(NULL);

  499. 		HASH_ITER(hh, accountings, ac, actmp) {

  500. 			HASH_DEL(accountings, ac);

  501. 			free(ac);

  502. 		}

  503. 	}

  504. 

  505. 	// blacklist cleanup check every 1 sec

  506. 	if ( dp_cleanuptime < time(NULL) ) {

  507. 		if ( conf->debug ) printf("cleanup BL\n");

  508. 		dp_cleanuptime = time(NULL);

  509. 		HASH_ITER(hh, blacklists, bl, bltmp) {

  510. 			if ( bl->expire < time(NULL) ) {

  511. 				dp_log(

  512. 					bl->remoteid, bl->len, 

  513. 					"blacklisting ended");

  514. 				HASH_DEL(blacklists, bl);

  515. 				free(bl);

  516. 			}

  517. 		}

  518. 	}

  519. }

  520. 

  521. int dp_accounting_check(dp_conf *conf, unsigned char *remoteid, int len) {

  522. 	dp_accounting *ac;

  523. 

  524. 	HASH_FIND(hh, accountings, remoteid, len, ac);

  525. 

  526. 	if ( conf->debug ) printf("AC Check\n");

  527. 

  528. 	if ( ac ) {

  529. 		if(conf->debug) printf("AC Check: found item %i > %i ?\n", ac->count, conf->pktint);

  530. 

  531. 		if ( ac->count > conf->pktint ) {

  532. 			if(conf->debug) printf("flood detected!\n");

  533. 			return NF_DROP;

  534. 		}

  535. 	}

  536. 	return NF_ACCEPT;

  537. }

  538. 

  539. int dp_blacklist_check(dp_conf *conf, unsigned char *remoteid, int len) {

  540. 	dp_blacklist *bl;

  541. 

  542. 	HASH_FIND(hh, blacklists, remoteid, len, bl);

  543. 

  544. 	if ( conf->debug ) printf("BL Check\n");

  545. 

  546. 	if ( bl ) {

  547. 

  548. 		if ( bl->expire > time(NULL) ) {

  549. 			if ( conf->debug ) printf("blacklisted!\n");

  550. 			return NF_DROP;

  551. 		}

  552. 	}

  553. 	return NF_ACCEPT;

  554. }