public
/
dhcp_protect
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
A userspace application that filters DHCP floods to protect a DHCP server. It uses the Netfilter userspace packet queuing API.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16 Commits
1 Branch
Tree: d95accc74b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd95accc74b'
${ noResults }
Pascal Gloor d95accc74b support for DHCPv6 5 years ago
Makefile fixed failing systemd commands 5 years ago
README.md rewritten ;) 5 years ago
dhcp_protect.c support for DHCPv6 5 years ago
dhcp_protect.conf logging info 5 years ago
dhcp_protect.h support for DHCPv6 5 years ago
dhcp_protect.service support for systemd 5 years ago
perftest.pl rewrote 5 years ago

README.md

DHCP Protect

DHCP Protect is a userspace application that filters DHCPv4 and DHCPv6 floods to protect a DHCP server. It uses the Netfilter userspace packet queuing API.

How it works

DHCP Protect receives every packet that enters the iptables NFQUEUE. It will count the number of queries sent by a client and if max_pkt_per_interval is reached within interval time, it will blacklist the client. While a client is blacklisted, the accounting continues, this means that when the blacklist_time is over and if the client continued to flood the DHCP server, the client will NOT be unblacklisted. The blacklist expiration time will be pushed forward as long as the client continues to flood.

What is a client?

DHCPv4

In DHCPv4 DHCP Protect will primarly look for option 82, suboption 2 (remoteID). If this is not available it will use the hardware address field.

DHCPv6

In DHCPv6 DHCP Protect will account based on the client DUID.

Installation

git clone https://git.home.spale.com/dhcp_protect.git
cd dhcp_protect
apt-get install build-essential uthash-dev libnetfilter-queue-dev
make all
make install

Note: the make install will automatically create, enable and start the systemd service and the make uninstall will stop and remove the systemd service.

Configuration

The configuration file may be tuned, but the defaults should be fine.

# max_pkt_per_interval
# maximum number of packets authorised per time interval.
max_pkt_per_interval=30

# interval
# measurement time interval in seconds.
interval=30

# debug
# enable debugging, warning, very verbose
debug=0

# blacklist_time
# number of seconds this client will be ignored once
# it exceeded the max_pkt_per_interval per interval
blacklist_time=55

# queue number
# refers to the queue-num of iptables.
# -A FORWARD -p udp -m udp --dport 67 -j NFQUEUE --queue-num 67 --queue-bypass
queue=67

# dryrun
# if dryrun is set to 1 it will accept all packets no matter what.
# this can be used for testing, syslog will still display the blacklisting
# actions.
# Set to 0 for production.
dryrun=0

Starting / Stopping

root@hostname:~/# systemd <start|stop|restart> dhcp_protect

Logging / Accounting

The program will log to system every blacklisting action to syslog.

Oct 23 16:50:18 router dhcp_protect[9706]: 00000000021b: blacklisting started
Oct 23 16:52:18 router dhcp_protect[9706]: 00000000021b: blacklisting ended