Out of curiosity, did ya inquire with the ISC folks about adding such "rate limiting" functionality to Kea? It's under fairly active development and they seem responsive to user community.
--Matt On Fri, Oct 25, 2019 at 4:18 AM Pascal Gloor <[email protected]> wrote: > Hi Community, > > NOTE: I hope this post is appropriate in this mailinglist, please let me > know if it isn’t. > > I don’t know about you, but as an ISP we’ve always faced the problem of > crazy DHCP clients (v4 and v6) flooding our servers. While at my employer > we have a proprietary DHCP server with anti-flood mechanisms it might not > the case for everyone. > > This is why I wrote DHCP Protect. DHCP Protect works with the userspace > API of Netfilter (iptables/ip6tables) and will treat each DHCP(v4/v6) > packet and decide if it should be forwarded or not. > > Don’t worry, iptables can be configured in a way that if the program is > not working, it will ACCEPT the packets by default. > > > There are no packages available, but don’t be scared, it’s really simple > to install and it will do all the systemd stuff for you! After make install > it will already be running (you can also make uninstall which will delete > everything and remove it from systemd). > > git clone https://git.home.spale.com/dhcp_protect.git > cd dhcp_protect > sudo apt-get install build-essential uthash-dev libnetfilter-queue-dev > make all > sudo make install > > That’s it. > > And then you need the iptables/ip6tables rule: > > iptables -A INPUT -p udp -m udp --dport 67 -j NFQUEUE --queue-num 67 > --queue-bypass > ip6tables -A INPUT -p udp -m udp --dport 547 -j NFQUEUE --queue-num 67 > --queue-bypass > > (SAME queue number! the program can treat v4/v6 at the same time) > > It doesn’t need to be on the DHCP server itself, it can also be run on the > path, in that case replace INPUT by FORWARD. > > The program will log to syslog when it blacklists. > > I’ve tested this with 10kpps and the CPU load of the program was about > 4-6% on one core (AMD Ryzen 7 2700X). > > There’s also a flooding perl client in the repository to test the > performance. It can do pseudo DHCPv4/DHCPv6, but since it’s pseudo, don’t > use the perftest.pl against a real DHCP server. > > > More information in the README -> > https://git.home.spale.com/public/dhcp_protect > > I’d be glad on feedback! It is useful? what additional features would you > like to see? > > Thanks for reading > Pascal > > > > > _______________________________________________ > opensource-wg mailing list > [email protected] > https://lists.ripe.net/mailman/listinfo/opensource-wg >
_______________________________________________ opensource-wg mailing list [email protected] https://lists.ripe.net/mailman/listinfo/opensource-wg
