I don’t know about you, but as an ISP we’ve always faced the problem of crazy DHCP clients (v4 and v6) flooding our servers. While at Quickline we have a DHCP server with anti-flood mechanisms it might not the case for everyone.
This is why I wrote DHCP Protect. DHCP Protect works with the userspace API of Netfilter (iptables/ip6tables) and will treat each DHCP(v4/v6) packet and decide if it should be forwarded or not.
Don’t worry, iptables can be configured in a way that if the program is not working, it will ACCEPT the packets by default.
There are no packages available, but don’t be scared, it’s really simple to install and it will do all the systemd stuff for you! After make install it will already be running (you can also make uninstall which will delete everything and remove it from systemd).
git clone https://git.home.spale.com/dhcp_protect.git
sudo apt-get install build-essential uthash-dev libnetfilter-queue-dev
sudo make install
And then you need the iptables/ip6tables rule:
iptables -A INPUT -p udp -m udp --dport 67 -j NFQUEUE --queue-num 67 --queue-bypass
ip6tables -A INPUT -p udp -m udp --dport 547 -j NFQUEUE --queue-num 67 --queue-bypass
(SAME queue number! the program can treat v4/v6 at the same time)
The program will log to syslog when it blacklists.
I’ve tested this with 10kpps and the CPU load of the program was about 4-6% on one core (AMD Ryzen 7 2700X).
There’s also a flooding perl client in the repository to test the performance. It can do pseudo DHCPv4/DHCPv6, but since it’s pseudo, don’t use the perftest.pl again a real DHCP server.
More information in the README -> https://git.home.spale.com/public/dhcp_protect
I’d be glad on feedback! It is useful? what additional features would you like to see?
Thanks for reading
See you at Swing#36
the Agenda is almost complete and we’re (almost) ready for the 14th of November.
Below is a preview for the agenda (in random order). You can also let us know what you expect or wish to hear by answering to the mailing list. The Speakers are also listening ;-)
Please register now: https://register.swinog.ch/
30min | AI in Networking | Jörg Ammon (Extreme Networks)
AI is gaining momentum to solve problems that are difficult for humans as it requires analytics of huge amounts of data. This talk discusses attempts to apply similar methodology to problems in networking.
25min | The Future of Passive Multiplexing and Multiplexing Beyond 10G | Wouter van Diepen (Alturna Networks/Solid Optics)
The Future of Passive Multiplexing and Multiplexing Beyond 10G. In the past, it was easy to change your optical network from 1G to 10G by simply changing the transceiver, but what if you want to do more than 10G? What if you want to go beyond 80km? What are your options and why is there no QSFP28-DWDM-ZR? These are the central questions in this presentation. We will cover the 3 “ingredients” of Multiplexing: The Fiber, the Passive Mux, and the Transceiver, and talk about the limitations and possibilities of multiple times 100G over one fiber pair. We will also cover the following topics: The challenges that arise due to attenuation and chromatic dispersion; Different types of Multiplexers - Cascaded TFF and AWG (including Gaussian Fit and Flat Top); ITU Grids such as DWDM and the new LWDM band (often used for 5G deployment); Modulation & Coherent 100G/200G/400G; How to use QSFP28 DWDM PAM4; and what is coming in 2020 - 400G DWDM QSFP-DD. At the end of this talk, you will understand the future of 100G multiplexing and how it can fit into your network.
30min | the complexity of hyper speed transceivers – let’s make it | Thomas Weible (Flexoptix GmbH)
Thomas will describe in detail the structures inside optical transceivers. A Transmitter / Receiver Optical Sub Assembly (TOSA / ROSA) is no longer just a diode in a housing handling the light path to and fro to the fiber. The performance increases from 10G to 100G onwards to 400G - are not only giant steps in bandwidth there are matching leaps in manufacturing.
How did the optical industry players around the globe make it possible to squeeze everything into the tiny form factors we see today? It is all about precision - a microscope with a calm and competent hand is no longer sufficient, now it is about; nano tolerances, testing, complex transceiver firmware and a shed load of money.
This is the high precision optical mechanical engineering revolution which fuels the hyper growth of data centers and optical networking worldwide…
If you face design issues with your current optical network design Thomas will give insights into the latest 40G to 400G transceiver developments (e.g. long distance 80km) which you can expect to see in the upcoming months. Hopefully this might save you some headaches. As a small „one more thing" Thomas will dive into the basics of how FEC compensates for errors caused by PAM4 modulation.
10min | RPKI, a piece of pie | Will van Gulik (Saitis - Nimag Networks / RomandIX)
RPKI is something we hear about everywhere nowadays. Is it hard to deploy?
30min | A new approach to select SIEM Use Cases by avoiding events per second estimations | Pascal Imthurn (ISPIN AG)
Did you ever experience the challenge to identify the adequate SIEM use cases to fulfil not only the compliance driven requirements but also the ability to have a high security detection coverage from day one? How can you ensure you will detect all attacks respectively you collect, and analysis all required events to identify anomalies?
We will introduce a comprehensive approach to directly address the challenge of SIEM use case identification and selection. In addition, we explain the answer of the problem of having a high detection maturity from day one with still a price efficient strategy and the capability to scale easily. Moreover, we present a recommended solution method to respond to attacks immediately, focused to the origin of the attack and to be able to collect all relevant data for additional investigations.
10min | How to build a typical home network | Pascal Gloor (Quickline AG)
beyond and above all expectations
30min | NBIP | Pim van Stam (Infomaniak Network SA)
The director of NBIP would share the experience in seting up a multi-organization not for profit fundation to provide a DDoS mitigation and protection platform for national ISPs.
5min | Rheintal Internet Exchange | Thomas Fritz (Rheintal IX)
Short introduction of the small Internet Exchange in the Rheintal region spread over FL, AT and CH.
30min | Weird and broken BGP on the Internet | Martin Winter (Hurricane Electric)
The presentation gives a quick introduction to the RT-BGP tool (https://rt-bgp.he.net) and then we spend most of the time looking at issues seen with it. An example of few weird and broken BGP announcements as currently seen on the Internet by it are then discussed.
15min | Poor man's explanation why IPv6 is stalling in CH | Jean-Pierre Schwickerath (HILOTEC Engineering + Consulting AG)
As a service provider for SME, we use on default ISP products for internet connectivity. The presentation will provide an overview of our experience with IPV6 on those products and where we believe improvements are (over)due.
20min | IP design and exploitation of Geneva city transport network | Gregoire Huet (TPG)
How the IP network for 700 vehicles has been designed. From hardware constraints to BGP implementation and up to TICK monitoring and alerting.
@Mobile IP, @BGP, @Linux, @Cisco, @NetModule, @Swisscom CNA, @SNMP, @TICK, @Grafana
15min | tbd/Cybersecurity | Levente Dobszay (Electrosuisse)
I like to thank you for our sponsors – without them we would have no SwiNOG !!!
Final agenda with Schedule will be published soon. Till then…
if anyone from SBB reads the swinog ml: it's very cool that you added an
AAAA record to sbb.ch. However it seems that only the HTTP, but not the
HTTPS port is open via IPv6. Logs are attached below.
Best regards from Glarus,
[20:31] diamond:~% curl -6 -I -v https://sbb.ch
* Trying 2a00:4bc0:ffff:ffff::c296:f58e:443...
* TCP_NODELAY set
* Connected to sbb.ch (2a00:4bc0:ffff:ffff::c296:f58e) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
[20:33] diamond:~% curl -6 -I -v http://sbb.ch
* Trying 2a00:4bc0:ffff:ffff::c296:f58e:80...
* TCP_NODELAY set
* Connected to sbb.ch (2a00:4bc0:ffff:ffff::c296:f58e) port 80 (#0)
> HEAD / HTTP/1.1
> Host: sbb.ch
> User-Agent: curl/7.66.0
> Accept: */*
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Date: Sun, 20 Oct 2019 18:32:39 GMT
Date: Sun, 20 Oct 2019 18:32:39 GMT
< Server: Apache
< Location: https://sbb.ch/
< Content-Type: text/html; charset=iso-8859-1
Content-Type: text/html; charset=iso-8859-1
* Connection #0 to host sbb.ch left intact
Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch