[FAQ series] How to Prevent Network Attacks through traffic control

How to prevent network attacks through traffic control

Sailor_forever sailing_9806 # 163.com

(This original article is published on sailor_forever's personal blog and cannot be used for commercial purposes without my permission. No individual, media, or other websites may copy files without permission. For online media reprinting, please indicate the source and add the original text link. Otherwise, this is an infringement. If you have any questions, please leave a message or send an email to sailing_9806 # 163.com)

Http://blog.csdn.net/sailor_8318/archive/2010/06/28/5698353.aspx

【Abstract】 This article briefly introduces the principle of ARP attacks from the perspective of attacks on the LAN. This article introduces how to defend against network attacks on Embedded Linux devices. This section describes in detail how to speed up the traffic in the NIC Driver to limit some network attacks, and provides relevant test data.

[Keyword] LAN attacks arpfirewall Gbit receives interrupted BD Buffer

I don't know if you have such experiences. Several people share shared houses. Everyone shares broadband. However, some people often have network problems. The last QQ sometimes gets offline. Some people watch videos and are not stuck in the eaves at all. some people eat meat and some people can only drink porridge. Why? Of course, there must be a mystery. It is very likely that someone in the LAN uses network attack software to initiate frequent attacks on your computer, resulting in changes in network characteristics.

This type of network attack usually uses ARP packets for attacks, because under normal circumstances, the computer will certainly respond to ARP packets, and such packets can only be used in LAN environments when the computer frequently responds to ARP packets. performance may drop, and even the overall performance of the computer may drop sharply.

Similar attack software includes P2P management software such as network scissors and cyber law enforcement software. Some defense software such as arpfirewall and other so-called policies have countermeasures.

Recently, I & V raised an abnormal bug and used network traffic meters to launch network attacks on the devices we developed to detect whether the devices can work normally in abnormal circumstances. It's like you are sleeping on your mobile phone in the middle of the night. just make a call and you have to answer the call so you can sleep.

Generally, for network devices, you can set the NIC to only receive packets from the broadcast and the target Mac as the local packets. Other packets can be automatically filtered on the hardware layer, but the network device can be known in the LAN environment. the IP address and MAC address can send arbitrary attack packets to a device.

In Linux, when the network adapter receives a network packet, it receives the interrupt processing program. Normally, the actual data is processed in the Soft Interrupt, And the Soft Interrupt is compared to other kernel Tasks running by the system or even user space. the process priority is high. Therefore, when the network adapter receives data packets frequently, the system performance decreases sharply.

The purpose of this test case of I & V is to check whether our devices are able to defend against attacks. Because the attack packets are arbitrary, and under normal circumstances, this network port is also a management network port, and there will be corresponding data streams. unable to Filter Based on Message Content

The essence of network attacks is to enable the CPU to frequently process packets to provide CPU loads without having time to run other normal services. Therefore, the attack prevention policy also provides two methods to speed up the network card:
1) set the Gbit Nic speed limit to 10 m or 100 m so that the NIC has a speed limit on the hardware. Even if the network attack traffic is larger, the m cpu can also be processed.
However, this is because Gbit is a waste of time for the network card to beat mosquitoes with a cannon.
2) restrict packets processed per unit time
Under normal circumstances, the traffic of the management network port is within the same range. Only when an exception occurs, the traffic of the network port will rise sharply, and the network packets processed by the CPU per unit time will be limited to one range. in this way, the CPU has the corresponding free time to process other services to prevent network attacks.
However, the disadvantage of this method is that the normal packet may be discarded during the network attack, which can be described as killing the enemy's one thousand self-loss eight hundred. However, there is no way to kill one thousand at the same time for the sake of stability.

The specific implementation is to count the packets received per second in the interrupt handler of the receiving service. When the threshold value is greater than a set value, the subsequent package is discarded for one second and the original package is cleared. the receiving count continues to receive data to achieve traffic control.

Gfar_interrupt gfar_receive _ netif_rx_schedule gfar_poll gfar_clean_rx_ring

Http://lxr.linux.no/#linux+v2.6.25/drivers/net/gianfar.c#L1637

1636/* the interrupt handler for devices with one interrupt */
1637 static irqreturn_t gfar_interrupt (int irq, void * dev_id)
1638 {
1639 struct net_device * Dev = dev_id;
1640 struct gfar_private * priv = netdev_priv (Dev );
1641
1642/* save ievent for future reference */
1643 u32 events = gfar_read (& priv-> regs-> ievent );
1644
1645/* Check for Interval tion */
1646 if (events & ievent_rx_mask)
1647 gfar_receive (IRQ, dev_id );
1648
1649/* Check for transmit completion */
1650 if (events & ievent_tx_mask)
1651 gfar_transmit (IRQ, dev_id );
1652
1653/* Check for errors */
1654 if (events & ievent_err_mask)
1655 gfar_error (IRQ, dev_id );
1656
1657 return irq_handled;
1658}

1385irqreturn_t gfar_receive (int irq, void * dev_id)
1386 {
1387 struct net_device * Dev = (struct net_device *) dev_id;
1388 struct gfar_private * priv = netdev_priv (Dev );
1389 # ifdef config_gfar_napi
1390 u32 tempval;
1391 # else
1392 unsigned long flags;
1393 # endif
1394
1395/* clear ievent, so RX interrupt isn't called again
1396 * because of this interrupt */
1397 gfar_write (& priv-> regs-> ievent, ievent_rx_mask );
1398
1399/* Support napi */
1400 # ifdef config_gfar_napi
1401 if (netif_rx_schedule_prep (Dev, & priv-> napi )){
1402 tempval = gfar_read (& priv-> regs-> imask );
1403 tempval & = imask_rx_disabled;
1404 gfar_write (& priv-> regs-> imask, tempval );
1405
1406 _ netif_rx_schedule (Dev, & priv-> napi );
1407} else {
1408 if (netif_msg_rx_err (priv ))
1409 printk (kern_debug "% s: receive called twice (% x) [% x]/n ",
1410 Dev-> name, gfar_read (& priv-> regs-> ievent ),
1411 gfar_read (& priv-> regs-> imask ));
1412}
1413 # else
1414
1415 spin_lock_irqsave (& priv-> rxlock, flags );
1416 gfar_clean_rx_ring (Dev, priv-> rx_ring_size );
1417
1418/* If we are coalescing interrupts, update the timer */
1419/* Otherwise, clear it */
1420 if (priv-> rxcoalescing)
1421 gfar_write (& priv-> regs-> rxic,
1422 mk_ic_value (priv-> rxcount, priv-> rxtime ));
1423 else
1424 gfar_write (& priv-> regs-> rxic, 0 );
1425
1426 spin_unlock_irqrestore (& priv-> rxlock, flags );
1427 # endif
1428
1429 return irq_handled;
1430}

1579 # ifdef config_gfar_napi
1580 static int gfar_poll (struct napi_struct * napi, int budget)
1581 {
1582 struct gfar_private * priv = container_of (napi, struct gfar_private, napi );
1583 struct net_device * Dev = priv-> dev;
1584 int howmany;
1585
1586 howloud = gfar_clean_rx_ring (Dev, budget );
1587
1588 if (howthen <budget ){
1589 netif_rx_complete (Dev, napi );
1590
1591/* clear the halt bit in rstat */
1592 gfar_write (& priv-> regs-> rstat, rstat_clear_rhalt );
1593
1594 gfar_write (& priv-> regs-> imask, imask_default );
1595
1596/* If we are coalescing interrupts, update the timer */
1597/* Otherwise, clear it */
1598 if (priv-> rxcoalescing)
1599 gfar_write (& priv-> regs-> rxic,
1600 mk_ic_value (priv-> rxcount, priv-> rxtime ));
1601 else
1602 gfar_write (& priv-> regs-> rxic, 0 );
1603}
1604
1605 return howmany;
1606}
1607 # endif

/* Gfar_clean_rx_ring () -- processes each frame in the RX Ring
* Until the budget/quota has been reached. returns the number
* Of Frames handled
*/
Int gfar_clean_rx_ring (struct net_device * Dev, int rx_work_limit)
{
Struct rxbd8 * BDP;
Struct sk_buff * SKB;
2010pkt_len;
Int howtasks = 0;
Struct gfar_private * priv = netdev_priv (Dev );

# Ifdef pai_flow_ctrl
Static unsigned long rx_pkt_per_sec = 0;
Static unsigned long rx_pkt_limit_per_sec = pai_flow_ctrl_rx_limit;
Static unsigned long rx_pkt_time_start = 0;
# Endif

/* Get the first full descriptor */
BDP = priv-> cur_rx;

While (! (BDP-> Status & rxbd_empty) | (-- rx_work_limit <0 ))){
Struct sk_buff * newskb;
RMB ();

/* Add another SKB for the future */
Newskb = gfar_new_skb (Dev );

SKB = priv-> rx_skbuff [priv-> skb_currx];

/* We drop the frame if we failed to allocate a new buffer */
If (unlikely (! Newskb |! (BDP-> Status & rxbd_last) |
BDP-> Status & rxbd_err )){
Count_errors (BDP-> Status, Dev );

If (unlikely (! Newskb ))
Newskb = SKB;

If (SKB ){
Dma_unmap_single (& priv-> Dev,
BDP-> bufptr,
Priv-> rx_buffer_size,
Dma_from_device );

Dev_kfree_skb_any (SKB );
}
} Else {
/* Increment the number of packets */
Dev-> stats. rx_packets ++;

# Ifdef pai_flow_ctrl
If (unsigned long) (jiffies-rx_pkt_time_start)> 1 * Hz)
{
Rx_pkt_per_sec = 0; // clear the packet number per second
Rx_pkt_time_start = jiffies; // update the start
}

Rx_pkt_per_sec ++;
If (rx_pkt_per_sec <rx_pkt_limit_per_sec) // within the flow control area, then RX, else discard
{
# Endif
Howmany ++;

/* Remove the FCS from the packet length */
Pkt_len = BDP-> length-4;

Gfar_process_frame (Dev, SKB, pkt_len );
# Ifdef pai_flow_ctrl
}
Else
{
/* Increment the number of dropped packets */
Dev-> stats. rx_dropped ++;
Kfree_skb (SKB); // free the SKB in TCP/IP stack to aovid Memory Leak
}
# Endif
Dev-> stats. rx_bytes + = pkt_len;
}

Dev-> last_rx = jiffies;

Priv-> rx_skbuff [priv-> skb_currx] = newskb;

/* Setup the New BDP */
Gfar_new_rxbdp (Dev, BDP, newskb );

/* Update to the next pointer */
If (BDP-> Status & rxbd_wrap)
BDP = priv-> rx_bd_base;
Else
BDP ++;

/* Update to point at the next SKB */
Priv-> skb_currx =
(Priv-> skb_currx + 1 )&
Rx_ring_mod_mask (priv-> rx_ring_size );
}

/* Update the current rxbd pointer to be the next one */
Priv-> cur_rx = BDP;

Return howmany;
}

The key is that when network packets are discarded, the corresponding BD still needs to be released and assigned a new Bd. Otherwise, the new data cannot be received. In addition, SKB must be released when the packet is discarded. Otherwise, the TCP/IP protocol stack must be released. memory will also be used up

Test Data

1. The CPU load of frequently received data packets increases sharply during streaming, and soft interruptions of network data packets are generated, which cannot be processed in time and handed over to the kernel thread for processing.

Mem: 548524 K used, 485956 K free, 0 K shrd, 0 K buff, 308564 K cached
CPU: 3.8% USR 3.6% sys 0.0% nice 0.0% idle 0.0% Io 8.0% IRQ 84.5% softirq
Load average: 4.05 2.96 1.41
PID ppid user stat vsz % mem % CPU command
3 2 root RW <0 0.0 85.7 [ksoftirqd/0]
1004 974 root s 493 m 48.7 5.1 swch
936 2 root SW 0 0.0 3.0 [dispatch_timer]
946 944 root s 5176 0.5 1.7 nets
988 963 root s 37668 3.6 0.7 mpmo
1490 Timer: delayed Timer issued. evid = FFFF, Rec = 10bf, dups = 7
852 root R 3060 0.3 0.7 top
973 960 root s 62568 6.0 0.5 faum
1048 985 root s 8136 0.7 0.3 Rifa
1105 965 root s 6528 0.6 0.3 Tsung
1333 1308 root s 6224 0.6 0.3/usr/local/ESW/l2-protocol/rci_process
4 2 root SW <0 0.0 0.3 [events/0]
918 1 root s 123 m 12.1 0.1 Supr-DH
976 957 root s 44168 4.2 0.1 dxc
965 918 root s 7096 0.6 0.1 mana
982 965 root s 163 m 16.1 0.0 xsup
9 Timer: delayed Timer issued. evid = a9cf, Rec = 10c0, dups = 4
70 956 root s 123 m 12.2 0.0 CACO
966 956 root s 99516 9.6 0.0 capo
943 918 root s 61912 5.9 0.0 cdbm
1012 979 root s 58652 5.6 0.0 CSSS

2. the device cannot be pinged during streaming.

From 150.236.56.76 icmp_seq = 2460 destination host unreachable
From 150.236.56.76 icmp_seq = 2461 destination host unreachable
From 150.236.56.76 icmp_seq = 2462 destination host unreachable
From 150.236.56.76 icmp_seq = 2463 destination host unreachable
From 150.236.56.76 icmp_seq = 2465 destination host unreachable
From 150.236.56.76 icmp_seq = 2466 destination host unreachable
From 150.236.56.76 icmp_seq = 2467 destination host unreachable
From 150.236.56.76 icmp_seq = 2469 destination host unreachable
From 150.236.56.76 icmp_seq = 2470 destination host unreachable
From 150.236.56.76 icmp_seq = 2471 destination host unreachable
From 150.236.56.76 icmp_seq = 2472 destination host unreachable
From 150.236.56.76 icmp_seq = 2473 destination host unreachable
From 150.236.56.76 icmp_seq = 2474 destination host unreachable
From 150.236.56.76 icmp_seq = 2476 destination host unreachable
From 150.236.56.76 icmp_seq = 2477 destination host unreachable
From 150.236.56.76 icmp_seq = 2478 destination host unreachable
From 150.236.56.76 icmp_seq = 2480 destination host unreachable
From 150.236.56.76 icmp_seq = 2481 destination host unreachable
From 150.236.56.76 icmp_seq = 2482 destination host unreachable
From 150.236.56.76 icmp_seq = 2483 destination host unreachable
From 150.236.56.76 icmp_seq = 2484 destination host unreachable
From 150.236.56.76 icmp_seq = 2485 destination host unreachable
From 150.236.56.76 icmp_seq = 2486 destination host unreachable
From 150.236.56.76 icmp_seq = 2487 destination host unreachable
From 150.236.56.76 icmp_seq = 2488 destination host unreachable
From 150.236.56.76 icmp_seq = 2489 destination host unreachable
From 150.236.56.76 icmp_seq = 2490 destination host unreachable
From 150.236.56.76 icmp_seq = 2491 destination host unreachable
From 150.236.56.76 icmp_seq = 2492 destination host unreachable
From 150.236.56.76 icmp_seq = 2493 destination host unreachable
From 150.236.56.76 icmp_seq = 2494 destination host unreachable
From 150.236.56.76 icmp_seq = 2495 destination host unreachable
From 150.236.56.76 icmp_seq = 2496 destination host unreachable
From 150.236.56.76 icmp_seq = 2497 destination host unreachable
From 150.236.56.76 icmp_seq = 2498 destination host unreachable

3. You can ping the device immediately after the stream is canceled.
64 bytes from 150.236.56.124: icmp_seq = 2499 TTL = 60 time = 2000 MS
64 bytes from 150.236.56.124: icmp_seq = 2500 TTL = 60 time = 1000 MS
64 bytes from 150.236.56.124: icmp_seq = 2501 TTL = 60 time = 0.465 MS
64 bytes from 150.236.56.124: icmp_seq = 2502 TTL = 60 time = 0.325 MS
64 bytes from 150.236.56.124: icmp_seq = 2503 TTL = 60 time = 0.328 MS
64 bytes from 150.236.56.124: icmp_seq = 2504 TTL = 60 time = 0.255 MS
64 bytes from 150.236.56.124: icmp_seq = 2505 TTL = 60 time = 0.322 MS
64 bytes from 150.236.56.124: icmp_seq = 2506 TTL = 60 time = 0.327 MS
64 bytes from 150.236.56.124: icmp_seq = 2507 TTL = 60 time = 0.321 MS
64 bytes from 150.236.56.124: icmp_seq = 2508 TTL = 60 time = 0.314 MS
64 bytes from 150.236.56.124: icmp_seq = 2509 TTL = 60 time = 0.319 MS
64 bytes from 150.236.56.124: icmp_seq = 2510 TTL = 60 time = 0.324 MS
64 bytes from 150.236.56.124: icmp_seq = 2511 TTL = 60 time = 0.322 MS
64 bytes from 150.236.56.124: icmp_seq = 2512 TTL = 60 time = 0.320 MS
64 bytes from 150.236.56.124: icmp_seq = 2513 TTL = 60 time = 0.324 MS
64 bytes from 150.236.56.124: icmp_seq = 2514 TTL = 60 time = 0.252 MS
64 bytes from 150.236.56.124: icmp_seq = 2515 TTL = 60 time = 0.327 MS
64 bytes from 150.236.56.124: icmp_seq = 2516 TTL = 60 time = 0.251 MS
64 bytes from 150.236.56.124: icmp_seq = 2517 TTL = 60 time = 0.325 MS
64 bytes from 150.236.56.124: icmp_seq = 2518 TTL = 60 time = 0.323 MS
64 bytes from 150.236.56.124: icmp_seq = 2519 TTL = 60 time = 0.335 MS
64 bytes from 150.236.56.124: icmp_seq = 2520 TTL = 60 time = 0.251 MS
64 bytes from 150.236.56.124: icmp_seq = 2521 TTL = 60 time = 0.319 MS
64 bytes from 150.236.56.124: icmp_seq = 2522 TTL = 60 time = 0.319 MS
64 bytes from 150.236.56.124: icmp_seq = 2523 TTL = 60 time = 0.252 MS
64 bytes from 150.236.56.124: icmp_seq = 2524 TTL = 60 time = 0.325 MS
64 bytes from 150.236.56.124: icmp_seq = 2525 TTL = 60 time = 0.319 MS
64 bytes from 150.236.56.124: icmp_seq = 2526 TTL = 60 time = 0.327 MS

--- 150.236.56.124 Ping statistics ---
2526 packets transmitted, 166 received, + 2022 errors, 93% packet loss, time 2528922 Ms
RTT min/AVG/max/mdev = 0.210/42.823/2352.017/270.895 MS, pipe 4

4. After the test is completed, the normal CPU load of the device returns to normal value.

Mem: 548896 K used, 485584 K free, 0 K shrd, 0 K buff, 308560 K cached
CPU: 0.0% USR 9.0% sys 0.0% nice 90.9% idle 0.0% Io 0.0% IRQ 0.0% softirq
Load average: 0.27 1.91 1.45
PID ppid user stat vsz % mem % CPU command
1601 852 root R 2948 0.2 6.0 top
1004 974 root s 493 m 48.7 3.0 swch
982 965 root s 163 m 16.1 0.0 xsup
970 956 root s 123 m 12.2 0.0 CACO
918 1 root s 123 m 12.1 0.0 Supr-DH
966 956 root s 99516 9.6 0.0 capo
973 960 root s 62568 6.0 0.0 faum
943 918 root s 61912 5.9 0.0 cdbm
1012 979 root s 58652 5.6 0.0 CSSS
975 957 root s 48932 4.7 0.0 alrm
955 918 root s 48000 4.6 0.0 chkp
987 963 root s 46740 4.5 0.0 dcnm
945 944 root s 46484 4.4 0.0 ipif
968 956 root s 46292 4.4 0.0 shac
976 957 root s 44168 4.2 0.0 dxc
977 957 root s 43668 4.2 0.0 Conf
991 918 root s 42488 4.1 0.0 ces_ SC
1000 964 root s 41580 4.0 0.0 Misc
971 956 root s 39244 3.7 0.0 impo
952 918 root s 39048 3.7 0.0 swdl
Sailing: Root: # Ping 150.236.70.1
Ping 150.236.70.1 (150.236.70.1): 56 data bytes
64 bytes from 150.236.70.1: seq = 0 TTL = 252 time = 4.101 MS
64 bytes from 150.236.70.1: seq = 1 TTL = 252 time = 1.542 MS
64 bytes from 150.236.70.1: seq = 2 TTL = 252 time = 1.532 MS
^ C
--- 150.236.70.1 Ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
Round-trip min/AVG/max = 1.532/2.391/4.101 MS
Sailing: Root :#

 

Appendix:

Hazards and prevention methods of lan arp attacks

Http://www.duote.com/tech/1/2703_1.html

What is lan ARP attack?

Http://hi.baidu.com/seowzyh/blog/item/99242c2d821005331f3089e6.html