Hi Community, I don’t know about you, but as an ISP we’ve always faced the problem of crazy DHCP clients (v4 and v6) flooding our servers. While at Quickline we have a DHCP server with anti-flood mechanisms it might not the case for everyone.
This is why I wrote DHCP Protect. DHCP Protect works with the userspace API of Netfilter (iptables/ip6tables) and will treat each DHCP(v4/v6) packet and decide if it should be forwarded or not. Don’t worry, iptables can be configured in a way that if the program is not working, it will ACCEPT the packets by default. There are no packages available, but don’t be scared, it’s really simple to install and it will do all the systemd stuff for you! After make install it will already be running (you can also make uninstall which will delete everything and remove it from systemd). git clone https://git.home.spale.com/dhcp_protect.git cd dhcp_protect sudo apt-get install build-essential uthash-dev libnetfilter-queue-dev make all sudo make install That’s it. And then you need the iptables/ip6tables rule: iptables -A INPUT -p udp -m udp --dport 67 -j NFQUEUE --queue-num 67 --queue-bypass ip6tables -A INPUT -p udp -m udp --dport 547 -j NFQUEUE --queue-num 67 --queue-bypass (SAME queue number! the program can treat v4/v6 at the same time) The program will log to syslog when it blacklists. I’ve tested this with 10kpps and the CPU load of the program was about 4-6% on one core (AMD Ryzen 7 2700X). There’s also a flooding perl client in the repository to test the performance. It can do pseudo DHCPv4/DHCPv6, but since it’s pseudo, don’t use the perftest.pl again a real DHCP server. More information in the README -> https://git.home.spale.com/public/dhcp_protect I’d be glad on feedback! It is useful? what additional features would you like to see? Thanks for reading See you at Swing#36 Pascal _______________________________________________ swinog mailing list [email protected] http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
