Anti amplification #18
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Replaced a lot of preprocessor checks with generic macros. IPv6 extension headers are now processed (at most 10). Fixed minor mistake in checksum computation. Fixed byteorder error for multipart header. Added formatting target in Makefile for source code files. Added new configuration toggle for indirect multipart (yet to be implemented in the loader).
Reserved field in tr-response can be changed.
Fixed error, where tr-error-responses were
sent to target instead of originitor.
Added loader option to enable indirect multipart. Moved default config initialization in dedicated file. Renamed datatypes to reflect endianness. Using linux builtin structs for multipart headers.
Added --forward-to option for indirect traces, enabled for reverse-only traces. Indirect trace target resolved to servers address family.
…ormed tr-requests are now always dropped.
Fixed incorrect checksum on indirect traces.
Split the response function into two seperate functions,
one handling successful responses and one errors.
Each function only expects the parameters it needs to work.
Probes are now built from bottom-to-top (l2 to l4), allowing
pseudo header computations in upper layer to work without
additional information about destionation addresses.
Added seperate probe parameter checking function.
Moved error codes to seperate header, as errors are not only bound
to probe specific values with the introduction of indirect
multipart.
Added the --[no-]tcp-syn-probes option to set whether the
server should set the SYN flag for TCP probes.
If the flag is absent, the servers default value is used.
Added the --[no-]indirect option to set whether the client
is allowed to choose the trace target via indirect multipart.
…e processing pipeline, allowing only the first filter on the interface to see the packets.
Non-SYN probes now carry a four-byte random payload instead of the MSS option for SYN probes.
Updated libbpf to v1.2.2. Updated bpftool to v7.2.0. Removed manual setrlimit call as it is automatically handled by libbpf.
The server can now be configured to allow reverse-traceroute requests from a set of preconfigured networks. The loader reads them from a file with the --allow-sources-from argument. Each line in the file should contain a network in CIDR notation. Each entry is validated and invalid entries are skipped by the loader.
Moved common datatypes into seperate headers in parent folder. Added actual netmask to the network address for matching.
When the server is running as a v4 instance and the supplied address is not a well-formed v4-mapped v6-address, the request is considered malformed and simply dropped.
…s running in v4 This would allow the client to run in NAT64/NAT46 environments, where the address families of client and server do not match.
lintian is invoked from inside the pbuilder chroot by specifying a hookdir containing the lintian script, which resides in scripts/hooks. This was necessary as lintian failed when called outside of pbuilder's chroot.
* Added parsing support for padding extension * Up to 5 extension objects will be processed * Each object can carry at most 10.000 bytes data (due to verifier limitations) * Added check for end-of-packet
When the traceroute request is smaller than the minimum ethernet payload size it is padded. The skb->len field includes the size of this padding. When checking if we reached the end of the packet we do not want to consider the padding, hence we have to rely on the payload size as reported by the IP header.
Removed section on outdated measurement study.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add various additions to reverse-traceroute: