search

gamemann / XDP-Firewall

A firewall that utilizes the Linux kernel's XDP hook. The XDP hook allows for very fast network processing on Linux systems. This is great for dropping malicious traffic from a (D)DoS attack. IPv6 is supported with this firewall! I hope this helps network engineers/programmers interested in utilizing XDP!
https://deaconn.net/
MIT License
492 stars 87 forks source link

Add feature to block invalid arps ? #47

Open OnlyFor opened 6 months ago

OnlyFor commented 6 months ago

First of all, thank you very much for taking the time to maintain this project. This project has been very helpful to me in the past period of time, not only because of the effect of the project, but also because I have learned a lot of relevant knowledge.

In recent studies, I found that xdp seems to be used to block arp requests. Considering the current proliferation of intranet broadcasts, is it possible to use xdp to write an arp whitelist and reject all arp requests that are not local requests?

for example:

10:58:36.239557 ARP, Request who-has 185.200.66.205 tell 185.200.66.1, length 46
10:58:36.246846 ARP, Request who-has 45.142.125.242.static.xtom.com tell 45.142.125.1.static.xtom.com, length 46
10:58:36.248497 ARP, Request who-has 45.142.126.65.static.xtom.com tell 45.142.126.1.static.xtom.com, length 46
10:58:36.250049 ARP, Request who-has 185.200.64.219.static.v.ps tell 185.200.64.1, length 46
10:58:36.251387 ARP, Request who-has 103.201.130.79.static.v.ps tell rg02nrt.v.ps, length 46
10:58:36.252702 ARP, Request who-has 45.142.125.243.static.xtom.com tell 45.142.125.1.static.xtom.com, length 46
10:58:36.253984 ARP, Request who-has 45.142.125.209.static.xtom.com tell 45.142.125.1.static.xtom.com, length 46
10:58:36.255239 ARP, Request who-has 185.200.64.63.static.v.ps tell 185.200.64.1, length 46
10:58:36.256391 ARP, Request who-has 45.142.125.140.static.xtom.com tell 45.142.125.1.static.xtom.com, length 46
10:58:36.257599 ARP, Request who-has 185.200.66.181 tell 185.200.66.1, length 46

Among the bunch of arp requests above, none of them are actually my IP.

Although the kernel will ignore these invalid requests, if it can be implemented using xdp, will the performance be better? My knowledge in this area is relatively lacking, please correct me if there is anything wrong.

Thanks again in advance.

gamemann commented 6 months ago

Hey! I'm glad the project has helped you gain more knowledge in the networking/security fields!

I've seen XDP used for processing ARP requests, mostly for caching ARP entries inside of BPF maps. However, I haven't implemented ARP filtering/caching in any code I've written for XDP in the past. It is certainly possible, though!

Implementing ARP filtering/caching would be faster in XDP since it's the first hook for processing packets in the Linux kernel (assuming your NIC driver supports XDP native). However, I'm not sure if there will be any noticeable difference unless if you're under attack by attackers targeting ARP specifically.

It would be interesting to implement ARP filtering into this firewall, but I'm not sure if I'll have the time to implement such a feature in the near future due to time constraints and working on other projects. With that said, it'll require reworking a lot of the XDP logic.

I hope this helps!

OnlyFor commented 5 months ago

Thanks for the patient reply

I first thought of this because I suddenly felt that maybe it would be better to defend DDoS at the arp level. After all, arp is the second layer.

Looking forward to future exploration and attempts,

Thanks again