Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add feature to block invalid arps ? #47

Open
OnlyFor opened this issue Dec 25, 2023 · 2 comments
Open

Add feature to block invalid arps ? #47

OnlyFor opened this issue Dec 25, 2023 · 2 comments
Labels
enhancement New feature or request

Comments

@OnlyFor
Copy link

OnlyFor commented Dec 25, 2023

First of all, thank you very much for taking the time to maintain this project. This project has been very helpful to me in the past period of time, not only because of the effect of the project, but also because I have learned a lot of relevant knowledge.

In recent studies, I found that xdp seems to be used to block arp requests. Considering the current proliferation of intranet broadcasts, is it possible to use xdp to write an arp whitelist and reject all arp requests that are not local requests?

for example:

10:58:36.239557 ARP, Request who-has 185.200.66.205 tell 185.200.66.1, length 46
10:58:36.246846 ARP, Request who-has 45.142.125.242.static.xtom.com tell 45.142.125.1.static.xtom.com, length 46
10:58:36.248497 ARP, Request who-has 45.142.126.65.static.xtom.com tell 45.142.126.1.static.xtom.com, length 46
10:58:36.250049 ARP, Request who-has 185.200.64.219.static.v.ps tell 185.200.64.1, length 46
10:58:36.251387 ARP, Request who-has 103.201.130.79.static.v.ps tell rg02nrt.v.ps, length 46
10:58:36.252702 ARP, Request who-has 45.142.125.243.static.xtom.com tell 45.142.125.1.static.xtom.com, length 46
10:58:36.253984 ARP, Request who-has 45.142.125.209.static.xtom.com tell 45.142.125.1.static.xtom.com, length 46
10:58:36.255239 ARP, Request who-has 185.200.64.63.static.v.ps tell 185.200.64.1, length 46
10:58:36.256391 ARP, Request who-has 45.142.125.140.static.xtom.com tell 45.142.125.1.static.xtom.com, length 46
10:58:36.257599 ARP, Request who-has 185.200.66.181 tell 185.200.66.1, length 46

Among the bunch of arp requests above, none of them are actually my IP.

Although the kernel will ignore these invalid requests, if it can be implemented using xdp, will the performance be better? My knowledge in this area is relatively lacking, please correct me if there is anything wrong.

Thanks again in advance.

@gamemann
Copy link
Owner

gamemann commented Jan 4, 2024

Hey! I'm glad the project has helped you gain more knowledge in the networking/security fields!

I've seen XDP used for processing ARP requests, mostly for caching ARP entries inside of BPF maps. However, I haven't implemented ARP filtering/caching in any code I've written for XDP in the past. It is certainly possible, though!

Implementing ARP filtering/caching would be faster in XDP since it's the first hook for processing packets in the Linux kernel (assuming your NIC driver supports XDP native). However, I'm not sure if there will be any noticeable difference unless if you're under attack by attackers targeting ARP specifically.

It would be interesting to implement ARP filtering into this firewall, but I'm not sure if I'll have the time to implement such a feature in the near future due to time constraints and working on other projects. With that said, it'll require reworking a lot of the XDP logic.

I hope this helps!

@OnlyFor
Copy link
Author

OnlyFor commented Jan 9, 2024

Thanks for the patient reply

I first thought of this because I suddenly felt that maybe it would be better to defend DDoS at the arp level. After all, arp is the second layer.

Looking forward to future exploration and attempts,

Thanks again

@gamemann gamemann added the enhancement New feature or request label Apr 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants