Packet flood protection

In the ALOHA, the tool responsible to protect against floods and low layer attacks is named packetshield.

Introduction

Packetshield is developped as a kernel module. Its code is executed between the network driver and the kernel.

It means all rules configured in packetshield will apply before any other rules in the ALOHA (IP acls, flow manager, L4 Load balancing (LVS), HAProxy, etc...).

Packetshield is multicore and is configured through the Linux Virtual filesystem sysfs /sys/.

Packetshield Overview

Packetshield works like a statefull firewall able to process packets at wire speed.

It is split into 2 components:

  1. instance: an instance is associated to physical interfaces and owns contexts
  2. context: rule set applied to destination IPs (and potentially vlan tag)

The diagram below shows how an incoming packet is treated when entering in an ALOHA where packetshield is in action:

                    <------- packetshield ------->
physical interface ===> instance ========> context ====> system
                   (1)              (2)             (3)
  1. the packet comes in through a physical network interface. It crosses the interface itself and the driver delivers it to the Packetshield instance associated to this interface
  2. Based on the destination IP address or destination IP + vlan tag, a context and its rules are applied
  3. if the packet successfully pass all the protection rules, it is delivered to the system (ALOHA‘s kernel)

Packet processing in Packetshield

When processing packets, Packetshield applies different types of rules, in the following order.

  1. drop of invalid packets (enabled by default, not configurable)

  2. blacklisting per:

  3. whitelisting per:

  4. destination TCP port protection (based on known sessions, TTLs, syn cookies, etc...)

    Note

    First rule which matches the packet stop its processing.

Enabling Packetshield

In the GUI, open the Services tab, scroll down to the bottom of the page, then click on the advanced mode link advanced_mode_link .

A few new lines should appears, and amongst them, one whose name is Packetshield:

../_images/ps_services_line.png

To access Packetshield‘s configuration click on the setup icon setup_icon, then:

  • delete the no autostart statement
  • click on OK button ok_button
  • click on Close button close_button
  • click on the reload icon reload_icon

Configuration

sysfs

The configuration interface uses sysfs. Loading packetshield module automatically creates the sysfs directory /sys/packetshield from where all the configuration can be done.

Configuration through the GUI

In the GUI, open the Services tab, scroll down to the bottom of the page, then click on the advanced mode link advanced_mode_link .

A few new lines appear and amongst them, one whose name is Packetshield:

../_images/ps_services_line.png

To access Packetshield‘s configuration click on the edit icon edit_icon.

A textarea opens and shows current configuration.

Once you have updated the configuration, you can apply it:

  • Click on the OK button ok_button, Close button close_button.
  • Then, click on the reload icon reload_icon from the Packetshield service line.

Configuration through the CLI

Get connected on SSH to the ALOHA, then type root to get root rights.

To access packetshield configuration, simply manipulates entries into /sys/packetshield as described in the rest of this document.

Once your configuration is optimal, you can save it using the following command: service packetshield store.

Warning

The configuration applies directly to live traffic!!!

Error codes

When configuring Packetshield through the CLI, the following error codes may happen:

  • 2 / ENOENT: object or configuration setting not found
  • 5 / EIO: input string is malformed
  • 16 / EBUSY: object already attached to an other instance
  • 17 / EEXIST: object or configuration setting already exists
  • 19 / ENODEV: object does not exist
  • 28 / ENOSPC: object is full

Instances

An instance defines entry points (physical interfaces) in Packetshield and one or more rule set (context) to apply.

An instance is designed by a name.

Note

keywords instances and version are reserved and can’t be used as an instance name

Each instance owns its own session table and configuration.

Sysfs entry

Instances can be managed through the sysfs entry /sys/packetshield/instances.

create

  • sysfs: write +<instance name> in the sysfs entry

    Example:

    echo "+myinst" > /sys/packetshield/instances
    
  • gui: use the statement instances followed by the instance name

    Example:

    instances myinst
    

destroy

Warning

destroying an instance also destroy all its configuration, contexts and statistics and release all attached network interfaces

  • sysfs: to destroy an instance, simply write -<instance name> in the sysfs entry.

    Example:

    echo "-myinstance" > /sys/packetshield/instances
    
  • gui: to destroy an instance, simply remove the instances line which creates it.

list

Note

this is only available through the CLI

To list instance currently configured, simply read the content of the file /sys/packetshield/instances.

Example:

cat /sys/packetshield/instances
myinst3
myinst2
myinst1

options

Available options are:

  • ack_session_timeout, default 60 seconds: Seeing an incoming ACK packet, the corresponding session is considered invalid if the elapsed time since the previous packet is greater than this value
  • syn_session_timeout, default 10 seconds: Seeing an incoming SYN packet, the corresponding session is considered invalid if the elapsed time since the previous packet is greater than this value
  • rst_session_timeout, default 60 seconds: Seeing an incoming RST packet, the corresponding session is considered invalid if the elapsed time since the previous packet is greater than this value
  • dns_session_timeout, default 60 seconds: Seeing an incoming DNS response packet, the corresponding session is considered invalid if the elapsed time since the corresponding DNS request is greater than this value
  • sysfs : options are displayable and settable using respectively read / write operations on sysfs files present in the directory /sys/packetshield/<instance name>/<option>

    Example:

    echo 30 > /sys/packetshield/myinst/ack_session_timeout
    echo 4 > /sys/packetshield/myinst/syn_session_timeout
    
  • gui: options can be configured using the following scheme: <instance name>/<option> followed by the desired parameter value.

    Example:

    myinst/ack_session_timeout 30
    myinst/syn_session_timeout 4
    

statistics

Note

this is only available through the CLI

Instance’ statistics counters are available through sysfs entry /sys/packetshield/<instance name>/stats

Example:

cat /sys/packetshield/myinst/stats
rx_total  : 56741
capmissed : 56502
tx_total  : 11329
  • rx_total: total incoming packets on current instance

  • capmissed: incoming packets not copied to debugging capture slots

    Note

    If during a capture dump, the capmissed continue to rise, it means the capture reader does not read fast enough and some packets are not captured because the slots are full

  • tx_total: total outgoing packets on current instance (except packets generated by Packetshield like syncookies)

Debugging capture

Note

this is only available through the CLI

Packetshield provides 2 interfaces to retrieve all incoming packets capture on an instance. These 2 interfaces are available in the directory /sys/packetshield/<instance name>/.

Note

Packetshield use a limited number of re-cycled memory slots to capture packets. If the reader is not fast enough, all slots are used and some packets won’t be captured.

raw.cap

This sysfs entry is directly readable and provide capture in pcap format.

Example to read this capture:

tcpdump -r /sys/packetshield/myinst/raw.cap
reading from file raw.cap, link-type EN10MB (Ethernet)

Note

This interface provides the worst performances:

  • A sysfs read operation is limited and can not return more that one pagesize (4096 Bytes).
  • A read operation induces a memory copy of all packets capture.

capture.map

Note

this mode can’t be exploited for now in the ALOHA.

A read operation on this sysfs entry returns the size of packets capture available in a memory slot (on 4 Bytes). A mmap on the same file descriptor using this size provide a direct access (pointer) on a full slot.

Note

This interface provides the best performances. A userland application needs to add the pcap file header.

Physical interfaces

All incoming / outgoing packets passing through physical interfaces will be processed by Packetshield using the associated instance configuration and session table.

Note

A physical interface can be attached to a single Packetshield instance at a time

Please note the following statements about physical instances in Packetshield:

  • There is no limitation on the number of physical interfaces attached to an instance
  • Packetshield supports hot attach / detach operations on interfaces, regardless their status DOWN or UP
  • an interface is not detached from the instance if its state switches to DOWN
  • an interface is automatically detached from the instance if its driver module is unloaded
  • all attached interfaces are automatically detached when the instance is destroyed

Sysfs entry

The sysfs entry dedicated to manage an instance’s interfaces is /sys/packetshield/<instance name>/ifaces.

Attach

  • sysfs: write the interface device name, prefixed by the char + in the sysfs entry.

    Example: attach interface eth1 and eth2 to instance myinst:

    echo "+eth1"> /sys/packetshield/myinst/ifaces
    echo "+eth2"> /sys/packetshield/myinst/ifaces
    
  • GUI: use the statement <instance name>/ifaces followed by the device name

    Example: attach interface eth1 and eth2 to instance myinst:

    myinst/ifaces eth1
    myinst/ifaces eth2
    

Detach

  • sysfs: write the interface device name, prefixed by the char - in the sysfs entry.

    Example: detach interface eth2 from instance myinst:

    echo "-eth2"> /sys/packetshield/myinst/ifaces
    
  • GUI: remove the statement line <instance name>/ifaces <device name> matching the device name to be removed

List

Note

this is only available through the CLI

To display interfaces attached to an instance, read the content of the sysfs entry /sys/packetshield/<instance>/ifaces.

Example:

cat /sys/packetshield/myinst/ifaces
eth0
eth6
eth5

Context

A context is identified by the destination of an incoming packet.

For each incoming packet, a lookup on available contexts in the instance is performed:

  • If a context is found (by matching the packet’s destination IP and an optional vlan tag), then the rules of the context will be applied to this packet.
  • If the packet doesn’t match any context, then the default context Other applies.

Creating an instance automatically creates the default context named Other which contains the policy used for packets which don’t match any other created context.

Note

Packetshield is currently limited to 512 custom IPv4 contexts per instance

Packetshield currently supports the following context identifiers:

  • an IPv4 address

  • an IPV4 suffixed by the character @ and a vlan id

    Note

    to match the vlan ID, the packet must be tagged when coming in the ALOHA

Sysfs entry

The sysfs entry used to manage context is /sys/packetshield/<instance name>/contexts.

create

Note

This operation also creates a new sysfs directory using the context identifier as name in /sys/packetshield/<instance name>/<context id>.

Freshly created context doesn’t inherit the configuration from the default Other context

  • sysfs: write the context identifier, prefixed by the char + in the sysfs entry.

    Example, create a context for the IP address 1.2.3.5:

    echo "+10.2.3.5" > /sys/packetshield/myinst/contexts
    

    Example, create a context for the IP address 1.2.3.5 in the tagged vlan 100:

    echo "+10.2.3.5@100" > /sys/packetshield/myinst/contexts
    
  • GUI: use the statement <instance name>/contexts followed by the context identifier.

    Example, create a context for the IP address 1.2.3.5:

    myinst/contexts 10.2.3.5
    

    Example, create a context for the IP address 1.2.3.5 in the tagged vlan 100:

    myinst/contexts 10.2.3.5@100
    

destroy

Note

This operation also deletes the sysfs directory /sys/packetshield/<instance name>/<context id>

  • sysfs: write the context identifier, prefixed by the char - in the sysfs entry.

    Example, destroy the context for the IP address 1.2.3.5:

    echo "-10.2.3.5" > /sys/packetshield/myinst/contexts
    

    Example, destroy the context for the IP address 1.2.3.5 in the tagged vlan 100:

    echo "-10.2.3.5@100" > /sys/packetshield/myinst/contexts
    
  • GUI: remove the statement <instance name>/contexts <context id> which matches the context to be removed

list

Note

this is only available through the CLI

To list existing contexts, read the content of the sysfs entry /sys/packetshield/<instance name>/contexts.

One context identifier is displayed per line.

Note

despite not being listed here, the context Other still exists!

Example:

cat /sys/packetshield/myinst/contexts
10.2.3.5
10.2.3.5@100

capture

Note

this is only available through the CLI

Note

this mode can’t be exploited for now in the ALOHA

A read operation on the sysfs entry /sys/packetshield/<instance name>/context_capture.map provides the interface to retrieve context’s packet capture.

A read operation on this sysfs returns the size of packets capture available in a memory slot (on 4 Bytes). A mmap on the same file descriptor using this size provide a direct access (pointer) on a full slot.

Note

This interface provides the best performances. A userland application needs to add the pcap file header.

options

  • sysfs: Context’s options are displayable and settable using respectively read and write operations on sysfs entries available in the directory /sys/packetshield/<instance name>/<context id>/<option>
  • GUI: Context’s options are settable using the following statement: <instance name>/<context id>/<option>. The GUI can only set the option.

Available options:

  • drop_empty_ack, default 0, means no drop.

    Ratio of empty outgoing ACKs to drop

    The purpose of this setting is to prevent avoid ack storms.

    sysfs example:

    echo 100 > /sys/packetshield/myinst/Other/drop_empty_ack
    

    GUI example:

    myinst/Other/drop_empty_ack 100
    
  • gateway, default ff:ff:ff:ff:ff:ff.

    Destination MAC address for outgoing traffic.

    By default, Packetshield uses the source MAC address from the incoming packets as destination when generating syncookies.

    Setting this value to a valid MAC address allows Packetshield to use an alternative gateway in order to send generated syncookies.

    sysfs example:

    echo '01:0c:23:fe:ab:10' > /sys/packetshield/myinst/Other/gateway
    

    GUI example:

    myinst/Other/gateway 01:0c:23:fe:ab:10
    
  • new_cookie_threshold, default: 0-0 means disabled.

    Defines new-connections rate thresholds (per seconds) to enable / disable syncookie protection.

    The purpose of this protection mode is to block SYN floods.

    Note

    Applies to ports listed in protected TCP ports

    Example, to start sending syn cookies when incoming rate is above 10000 SYN/s and disable it with rate goes below 5000:

    echo '10000-5000' > /sys/packetshield/myinst/Other/new_cookie_threshold
    
    myinst/Other/new_cookie_threshold 10000-5000
    
  • unmatch_drop_threshold, default: 0-0 means protection is disabled.

    Defines unmatched-packets rate (per seconds) thresholds to enable / disable unmatched RST/ACK drop.

    The purpose of this protection mode is to block RST or ACK floods (RSTs or ACKs whose don’t match any known session).

    Note

    Applies to ports listed in protected TCP ports

    Example, to start blocking unmatched packets when incoming rate is above 10000/s and disable it with rate goes below 5000:

    echo '10000-5000' > /sys/packetshield/myinst/Other/unmatch_drop_threshold
    
    myinst/Other/unmatch_drop_threshold 10000-5000
    
  • unknown_ttlfilter_threshold, default: 0-0 means protection is disabled.

    Defines unknown ttl packets rate (per seconds) thresholds to enable / disable filtering based on ttl

    Note

    Applies to ports listed in protected TCP ports

    Example, to start blocking packets with unknown TTL when incoming rate is above 10000/s and disable it with rate goes below 5000:

    echo '10000-5000' > /sys/packetshield/myinst/Other/unknown_ttlfilter_threshold
    
    myinst/Other/unknown_ttlfilter_threshold 10000-5000
    
  • deliver_block_threshold, default: 0-0 means protection is disabled.

    Defines delivered packets rate (per seconds) thresholds to enable / disable surge protection (those packets will be drop instead of being filtered).

    Note

    this filter affects each packets regardless of the status of the protected port

    Example, to enable surge protection when outgoing rate is above 10000 packets/s and disable it with rate goes below 5000:

    echo '10000-5000' > /sys/packetshield/myinst/Other/deliver_block_threshold
    
    myinst/Other/deliver_block_threshold 10000-5000
    
  • context_capture, default: 0 means disabled.

    Defines whether incoming packets on current context are captured.

    To enable packet capture, set this value to 1.

    echo 1 > /sys/packetshield/myinst/Other/context_capture
    
    myinst/Other/context_capture 1
    

    Note

    Read details of the Context captures chapter

  • x_tcp_ecp, default: 0 means disabled.

    Defines if ECP is available for SYN+ACK emitted packets from x_tcp_ports

    echo 1 > /sys/packetshield/myinst/Other/x_tcp_ecp
    
    myinst/Other/x_tcp_ecp 1
    
  • x_tcp_mss, default: 0 means disabled.

    Defines the maximum segment size used for SYN+ACK emitted packets from x_tcp_ports

    echo 1 > /sys/packetshield/myinst/Other/x_tcp_mss
    
    myinst/Other/x_tcp_mss 1
    
  • x_tcp_sack, default: 0 means disabled.

    Defines if the SACK (selective ACK) is enabled for SYN+ACK emitted packets from x_tcp_ports

    echo 1 > /sys/packetshield/myinst/Other/x_tcp_sack
    
    myinst/Other/x_tcp_sack 1
    
  • x_tcp_timestamps, default: 0 means disabled.

    Defines the timestamps are enabled for SYN+ACK emitted packets from x_tcp_ports

    echo 1 > /sys/packetshield/myinst/Other/x_tcp_timestamps
    
    myinst/Other/x_tcp_timestamps 1
    
  • x_tcp_wscale, default: 0 means disabled.

    Defines if the window scale factor is enabled for SYN+ACK emitted packets from x_tcp_ports

    echo 1 > /sys/packetshield/myinst/Other/x_tcp_wscale
    
    myinst/Other/x_tcp_wscale 1
    

whitelist: protocol

By default all protocols are dropped but TCP and UDP.

Packetshield use IANA’s protocol numbers in its whitelist.

Note

An online version of the protocol numbers list is available at this URL: http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

Sysfs entry

The sysfs entry /sys/packetshield/<instance name>/<context id>/w_protocols is used to managed the protocol white list.

Add a protocol

  • sysfs: write the protocol number prefixed by char + in the sysfs entry

    In example, to allow ICMP (1) and VRRP (112):

    echo "+1" > /sys/packetshield/myinst/Other/w_protocols
    echo "+112" > /sys/packetshield/myinst/Other/w_protocols
    
  • GUI: use the statement <instance name>/<context id>/w_protocols followed by the protocol numnber

    In example, to allow ICMP (1) and VRRP (112):

    myinst/Other/w_protocols 1
    myinst/Other/w_protocols 112
    

Remove a protocol

  • sysfs: write the protocol number prefixed by char - in the sysfs entry

    In example, to remove ICMP (1):

    echo "-1" > /sys/packetshield/myinst/Other/w_protocols
    
  • GUI: remove the statement <instance name>/<context id>/w_protocols <protocol number> which matches the protocol number you want to remove

Display protocol white list

Note

this is only available through the CLI

To list protocols currently in the white list, simply read the content of the sysfs entry.

It displays one protocol number per line.

cat /sys/packetshield/myinst/Other/w_protocols
1
112

whitelist: destination TCP port

By default, all TCP packets which doesn’t match a protected destination TCP port are dropped.

It means that to allow TCP based traffic to pass through Packetshield, the destination TCP port must be either in the white list or in the protected list.

Sysfs entry

The TCP port white list is managed through the sysfs entry /sys/packetshield/<instance name>/<context id>/w_tcp_ports.

Port range

A port range is defined by two numbers represting the lower and upper ports of the range separated by the character -.

Port range are inclusive. It means that the lower and upper ports describing the range are included in the range when matching packets.

Add a TCP port

Note

Adding a port or port range to the whitelisted TCP port list removes it/them from the protected list.

  • sysfs: write the port or range prefixed by the character + in the sysfs entry.

    In example, to white list ports 80, 443 and 1200 to 1250:

    echo "+80" > /sys/packetshield/myinst/Other/w_tcp_ports
    echo "+443" > /sys/packetshield/myinst/Other/w_tcp_ports
    echo "+1200-1250" > /sys/packetshield/myinst/Other/w_tcp_ports
    
  • GUI: TCP port white list is managed through the statement <instance name>/<context id>/w_tcp_ports

    In example, to white list ports 80, 443 and 1200 to 1250:

    myinst/Other/w_tcp_ports 80
    myinst/Other/w_tcp_ports 443
    myinst/Other/w_tcp_ports 1200-1250
    

Remove a TCP port

Note

Deleting a port in the middle of a configured port range splits the range in two

  • sysfs: write the port or range prefixed by the character - in the sysfs entry.

    In example:

    echo "-79-81" > /sys/packetshield/myinst/Other/w_tcp_ports
    echo "-1250" > /sys/packetshield/myinst/Other/w_tcp_ports
    
  • GUI: remove the statement line matching the TCP port white list <instance name>/<context id>/w_tcp_ports <tcp port>

    If the port to be removed is in the middle of the range, then a couple of rules should be provided.

    In example, to remove the port 1225 from the range 1200-1250:

    myinst/Other/w_tcp_ports 1200-1224
    myinst/Other/w_tcp_ports 1226-1250
    

List TCP port white list content

Note

this is only available through the CLI

To read the TCP port white list content, read the content of the sysfs entry.

It displays one port or port range per line.

In example:

cat /sys/packetshield/myinst/Other/w_tcp_ports
80
443
1200-1250

whitelist: destination UDP port

By default all UDP packets which are not a DNS response matching a known DNS query are dropped.

Port range

A port range is defined by two numbers represting the lower and upper ports of the range separated by the character -.

Port range are inclusive. It means that the lower and upper ports describing the range are included in the range when matching packets.

Sysfs entry

The UDP port white list is managed through the sysfs entry /sys/packetshield/<instance name>/<context id>/w_udp_ports.

Add a UDP port

Note

Adding a port or port range to the whitelisted UDP port list removes it/them from the protected list.

  • sysfs: write the port or range prefixed by the character + in the sysfs entry

    • In example, to white list ports 123 and 161-162:

      echo "+123" > /sys/packetshield/myinst/Other/w_udp_ports
      echo "+161-162" > /sys/packetshield/myinst/Other/w_udp_ports
      
  • GUI: use the statement <instance name>/<context id>/w_udp_ports followed by the port number or port range

    • In example, to white list ports 123 and 161-162:

      myinst/Other/w_udp_ports 123
      myinst/Other/w_udp_ports 161-162
      

Remove a UDP port

Note

Deleting a port in the middle of a configured port range splits the range in two

  • sysfs: write the port or range prefixed by the character - in the sysfs entry

    In example:

    echo "-123" > /sys/packetshield/myinst/Other/w_udp_ports
    echo "-161-162" > /sys/packetshield/myinst/Other/w_udp_ports
    
  • GUI: remove the statement <instance name>/<context id>/w_udp_ports <port number> which maches the port number or port range

    If the port to be removed is in the middle of the range, then a couple of rules should be provided.

    In example, to remove the port 1225 from the range 1200-1250:

    myinst/Other/w_udp_ports 1200-1224
    myinst/Other/w_udp_ports 1226-1250
    

UDP port white list content

Note

this is only available through the CLI

To read the UDP port white list content, read the content of the sysfs entry.

It displays one port or port range per line.

In example:

cat /sys/packetshield/myinst/Other/w_udp_ports
123
161-162

whitelist: source IP

Traffic coming from IPs in the whitelist is accepted, regardless the TCP/UDP port filtering policies.

Note

The size of both white and black lists can not go over than 512 different class C networks.

IP address or IP range

Packetshield accepts two types of IP addresses:

  • single host, ie: 10.0.0.1
  • IP range based on class C networks, 10.0.0.0-255 or 10.0.0.10-20

IP range are inclusive. It means that the lower and upper IP addresses describing the range are included in the range when matching packets.

Sysfs entry

Note

Adding an address to the IP source white list automatically removes it from the blacklist

Packetshield can manage source IP white list through the sysfs entry /sys/packetshield/<instance name>/<context id>/w_sources.

Add an IP

  • sysfs: write the IPv4 address or range prefixed by character + in the sysfs entry

    Example, to add a single host:

    echo "+10.0.2.3" > /sys/packetshield/myinst/Other/w_sources
    

    Example, to add a whole class C subnet:

    echo "+10.0.3.0-255" > /sys/packetshield/myinst/Other/w_sources
    

    Example, to add 11 consecutive IPs of the same range:

    echo "+10.0.4.10-20" > /sys/packetshield/myinst/Other/w_sources
    
  • GUI: use the statement <instance name>/<context id>/w_sources followed by the IP address or range

    Example, to add a single host:

    <instance name>/<context id>/w_sources 10.0.2.3
    

    Example, to add a whole class C subnet:

    <instance name>/<context id>/w_sources 10.0.3.0-255
    

    Example, to add 11 consecutive IPs of the same range:

    <instance name>/<context id>/w_sources 10.0.4.10-20
    

Remove an IP

Note

Removing an IPv4 address in the middle of a range in the same class C network will split the range in two

  • sysfs: write the IPv4 address or the range prefixed by the character - in the sysfs entry.

    Example:

    echo -10.0.3.100 > /sys/packetshield/myinst/Other/w_sources
    echo -10.0.4.10-15 > /sys/packetshield/myinst/Other/w_sources
    
  • GUI: remove the statement <instance name>/<context id>/w_sources <IP address> which maches the IP address or range

    If the IP address to be removed is in the middle of an existing range, then a couple of rules should be provided.

    In example, to remove the IP address 10.0.3.100 from the subnet 10.0.3.0/24:

    myinst/Other/w_sources 10.0.3.0-99
    myinst/Other/w_sources 10.0.3.101-255
    

List IPs

Note

this is only available through the CLI

To list IPs currently configured in the source IP white list, read the content of the sysfs entry.

It displays an IPv4 address or a range on a class C network per line.

In example:

cat /sys/packetshield/myinst/Other/w_sources
10.0.2.3
10.0.3.10-20
10.0.4.0-255

blacklist: source IP

Once in the black list, the traffic coming from these source IPs is dropped, regardless the TCP/UDP port filtering policies.

Note

The size of both white and black lists can not go over than 512 different class C networks.

IP address or IP range

Packetshield accepts two types of IP addresses:

  • single host, ie: 10.0.0.1
  • IP range based on class C networks, 10.0.0.0-255 or 10.0.0.10-20

IP range are inclusive. It means that the lower and upper IP addresses describing the range are included in the range when matching packets.

Sysfs entry

Packetshield can manage source IP black lists through the sysfs entry /sys/packetshield/<instance name>/<context id>/b_sources.

Add an IP

Note

Adding an address to the IP source black list automatically removes it from the white list

  • sysfs: write the IPv4 address or the range prefixed by character + in the sysfs entry

    Example, to add a single host:

    echo "+10.0.2.3" > /sys/packetshield/myinst/Other/b_sources
    

    Example, to add a whole class C subnet:

    echo "+10.0.3.0-255" > /sys/packetshield/myinst/Other/b_sources
    

    Example, to add 11 consecutive IPs of the same range:

    .. code-block:: text
    
       echo "+10.0.4.10-20" > /sys/packetshield/myinst/Other/b_sources
    
  • GUI: use the statement <instance name>/<context id>/b_sources followed by the IP address or range

    Example, to add a single host:

    <instance name>/<context id>/b_sources 10.0.2.3
    

    Example, to add a whole class C subnet:

    <instance name>/<context id>/b_sources 10.0.3.0-255
    

    Example, to add 11 consecutive IPs of the same range:

    .. code-block:: text
    
       <instance name>/<context id>/b_sources 10.0.4.10-20
    

Remove an IP

Note

Removing an IPv4 address in the middle of a range in the same class C network will split the range in two

  • sysfs: write the IPv4 address or the range prefixed by the character - in the sysfs entry.

    echo -10.0.3.100 > /sys/packetshield/myinst/Other/b_sources
    echo -10.0.4.10-15 > /sys/packetshield/myinst/Other/b_sources
    
  • GUI: remove the statement <instance name>/<context id>/b_sources <IP address> which maches the IP address or range

    If the IP address to be removed is in the middle of an existing range, then a couple of rules should be provided.

    In example, to remove the IP address 10.0.3.100 from the subnet 10.0.3.0/24:

    myinst/Other/b_sources 10.0.3.0-99
    myinst/Other/b_sources 10.0.3.101-255
    

List IPs

Note

this is only available through the CLI

To list IPs currently configured in the source IP black list, read the content of the sysfs entry.

It displays an IPv4 address or a range on a class C network per line.

In example:

cat /sys/packetshield/myinst/Other/b_sources
10.0.2.3
10.0.3.10-20
10.0.4.0-255

Protection: destination TCP port

This setting enables the syncookie and the unmatched protection on the listed TCP ports.

Sysfs entry

A couple of sysfs entries are available to enable this protection and can be used depending on the type of ALOHA / Packetshield deployment:

  • /sys/packetshield/<instance name>/<context id>/p_tcp_ports: when the TCP connection is locally terminated. IE: when using HAProxy on the ALOHA.
  • /sys/packetshield/<instance name>/<context id>/x_tcp_ports: when the TCP connection is terminated by a server behind the ALOHA and the synproxy mechanism is enabled on the ALOHA.

Port range

A port range is defined by two numbers represting the lower and upper ports of the range separated by the character -.

Port range are inclusive. It means that the lower and upper ports describing the range are included in the range when matching packets.

Add a TCP port

Note

Adding a port or port range to the protected TCP ports list removes it/them from the white list.

  • sysfs: write the port or range prefixed by the character + in the sysfs entry

    • to protect ports 80 and 443 locally load-balanced by HAPRoxy:

      echo "+80"  > /sys/packetshield/myinst/Other/p_tcp_ports
      echo "+443" > /sys/packetshield/myinst/Other/p_tcp_ports
      
    • to protect ports 110, 995 and 1200 to 1250 routed through the ALOHA:

      echo "+110" > /sys/packetshield/myinst/Other/x_tcp_ports
      echo "+995" > /sys/packetshield/myinst/Other/x_tcp_ports
      echo "+1200-1250" > /sys/packetshield/myinst/Other/x_tcp_ports
      
  • GUI: write the port number or port range after the following statement <instance name>/<context id>/p_tcp_ports or <instance name>/<context id>/x_tcp_ports:

    • to protect ports 80 and 443 locally load-balanced by HAPRoxy:

      <instance name>/<context id>/p_tcp_ports 80
      <instance name>/<context id>/p_tcp_ports 443
      
    • to protect ports 110, 995 and 1200 to 1250 routed through the ALOHA:

      <instance name>/<context id>/x_tcp_ports 110
      <instance name>/<context id>/x_tcp_ports 995
      <instance name>/<context id>/x_tcp_ports 1200-1250
      

Remove a TCP port

Note

Removing a port in the middle of a range splits the range in two

  • sysfs: write the port or range prefixed by character - in the sysfs entry.

    • to remove port range from 79 to 81 locally load-balanced by HAProxy:

      echo "-79-81" > /sys/packetshield/myinst/Other/p_tcp_ports
      
    • to remove port 1250 for a traffic routed through the ALOHA:

      echo "-1250" > /sys/packetshield/myinst/Other/x_tcp_ports
      
  • GUI: remove the statement <instance name>/<context id>/p_tcp_ports <port number> or <instance name>/<context id>/x_tcp_ports <port number> which matches the port range you want to remove

    If the port to be removed is in the middle of the range, then a couple of rules should be provided.

    In example, to remove the port 1225 from the range 1200-1250:

    myinst/Other/p_tcp_ports 1200-1224
    myinst/Other/p_tcp_ports 1226-1250
    

List protected TCP ports

Note

this is only available through the CLI

To list TCP ports currently in the protected port list, read the content of the sysfs entry.

It displays one port or port range per line.

In example:

cat /sys/packetshield/myinst/Other/p_tcp_ports
80
443

cat /sys/packetshield/myinst/Other/x_tcp_ports
110
995
1200-1250

Statistics

Note

this is only available through the CLI

Status and statistic counters are available through the sysfs entry /sys/packetshield/<instance name>/<context id>/stats.

In example:

cat /sys/packetshield/myinst/Other/stats
status     : 0x0000
rx_total   : 0
invalid    : 0
whitelisted: 0
filtered   : 0
out_related: 0
dns_resp   : 0
syn        : 0
rst        : 0
ack        : 0
unknown_ttl: 0
ttlfiltered: 0
established: 0
newconns   : 0
unmatched  : 0
syncookie  : 0
drop_syn   : 0
drop_rst   : 0
drop_ack   : 0
delivered  : 0
tx_total   : 0
  • status: current status of the context

    This value is a bitfield. It can be one or a combination of the different following values:

    • 0x0000: no protection mode currently enabled
    • 0x0001: syncookie protection mode currently enabled
    • 0x0002: unknown ttl filter protection mode currently enabled
    • 0x0004: unmatched drop protection mode currently enabled
    • 0x0008: surge protection mode on delivered packets is enabled

    In example, value 0x0005 means both syncookie and unmatched drop protections are enabled.

  • rx_total: counter of incoming packets on current context

  • invalid: counter of invalid (from a protocol point of view) incoming packets on current context

    Possible reasons are:

    • spoofed source address (same source and dest)
    • bad checksums
    • UDP or TCP len greater that total IP len
    • SYN contains data without tcp fast open option.
    • RST contains data
    • Invalid TCP flags combination
  • whitelisted: counter of accepted incoming packets because they match one of the white list rule:

    • L4 protocol used is white listed
    • source address is white listed
    • TCP/UDP destination port is white listed
  • filtered: counter of dropped packets because of configured policy. Possible reason are:

    • black listed source IP
    • neither protected nor white listed TCP destination port and the packet is not related to a known session
    • UDP packet whose destination port is not white listed and the packet is not a response to a known DNS query
  • out_related: counter of accepted incoming TCP packets related to a known outbound session

  • dns_rsp: counter of accepted incoming UDP packets related to a known outbound DNS query

  • syn: counter of incoming TCP SYN packets

  • rst: counter of incoming TCP RST packets

  • ack: counter of incoming TCP ACK packets

  • unknown_ttl: counter of incoming packets with a suspect TTL

  • ttlfiltered: counter of dropped packets in order to validate TTLs

  • established: counter of accepted incoming TCP packets related to a known session

  • newconns: counter of incoming TCP SYN packets on protected TCP ports which are not TCP retransmit (new connections)

  • unmatched: counter of incoming TCP RST and ACK packets on protected ports and not related to a established session

  • syncookie: counter of successfully generated syncookies

  • drop_syn: counter of dropped SYN packets because generation of syncookie failed

  • drop_rst: counter of dropped incoming TCP RST packets on protected port because not related to a known session

  • drop_ack: counter of dropped incoming TCP ACK packets on protected port because not related to a known session

  • delivered: counter of packets delivered to system stack.

    If surge protect mode is reached the counter presents the number of packets dropped instead of being delivered.

  • total_tx: counter of total outgoing packets (except generated ones)

Example

Given the following scenario:

  • enable packetshield on the interface eth8

  • configure a default ruleset which:

    • allow ICMP and VRRP protocols
    • enable protection on TCP ports 80 and 443 for services load-balanced by the ALOHA itself
    • enable protection on TCP ports 25, 110, 143, 993, 995 for services routed through the ALOHA
    • whitelist traffic coming from 10.0.0.0/24
  • protect the VIP 192.168.0.1 for FTP passive traffic with data ports from 50000 to 60000 for a FTP service routed through the ALOHA

Using the GUI

instances mydemo
mydemo/ifaces eth8
mydemo/drop_empty_ack 100
mydemo/Other/new_cookie_threshold 10000-5000
mydemo/Other/unmatch_drop_threshold 10000-5000
mydemo/Other/unknown_ttlfilter_threshold 10000-5000
mydemo/Other/w_protocols 1
mydemo/Other/w_protocols 112
mydemo/Other/w_source 10.0.0.0-255
mydemo/Other/p_tcp_ports 80
mydemo/Other/p_tcp_ports 443
mydemo/Other/x_tcp_ports 25
mydemo/Other/x_tcp_ports 110
mydemo/Other/x_tcp_ports 143
mydemo/Other/x_tcp_ports 993
mydemo/Other/x_tcp_ports 995
mydemo/contexts 192.168.0.1
mydemo/192.168.0.1/new_cookie_threshold 10000-5000
mydemo/192.168.0.1/unmatch_drop_threshold 10000-5000
mydemo/192.168.0.1/unknown_ttlfilter_threshold 10000-5000
mydemo/192.168.0.1/x_tcp_ports 21
mydemo/192.168.0.1/x_tcp_ports 50000-60000

Using the CLI / sysfs

echo +mydemo >/sys/packetshield/instances
echo +eth8 >/sys/packetshield/mydemo/ifaces
echo 100 >/sys/packetshield/mydemo/Other/drop_empty_ack
echo 10000-5000 >/sys/packetshield/mydemo/Other/new_cookie_threshold
echo 10000-5000 >/sys/packetshield/mydemo/Other/unmatch_drop_threshold
echo 10000-5000 >/sys/packetshield/mydemo/Other/unknown_ttlfilter_threshold
echo +1 >/sys/packetshield/mydemo/Other/w_protocols
echo +112 >/sys/packetshield/mydemo/Other/w_protocols
echo +10.0.0.0-255 >/sys/packetshield/mydemo/Other/w_sources
echo +80 >/sys/packetshield/mydemo/Other/p_tcp_ports
echo +443 >/sys/packetshield/mydemo/Other/p_tcp_ports
echo +25 >/sys/packetshield/mydemo/Other/x_tcp_ports
echo +110 >/sys/packetshield/mydemo/Other/x_tcp_ports
echo +143 >/sys/packetshield/mydemo/Other/x_tcp_ports
echo +993 >/sys/packetshield/mydemo/Other/x_tcp_ports
echo +995 >/sys/packetshield/mydemo/Other/x_tcp_ports
echo +192.168.0.1 >/sys/packetshield/mydemo/contexts
echo 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/new_cookie_threshold
echo 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/unmatch_drop_threshold
echo 10000-5000 >/sys/packetshield/mydemo/192.168.0.1/unknown_ttlfilter_threshold
echo +21 >/sys/packetshield/mydemo/192.168.0.1/x_tcp_ports
echo +50000-60000 >/sys/packetshield/mydemo/192.168.0.1/x_tcp_ports