xeritt

DDoS protection Netfilter module kernel 4.15

Jun 22nd, 2019
107
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include <linux/kernel.h>
  2. #include <linux/module.h>
  3. #include <linux/netfilter_ipv4.h>
  4. #include <linux/skbuff.h>
  5. #include <linux/ip.h>
  6. #include <linux/inet.h>
  7. //#include <sys/types.h>
  8. //#include <sys/socket.h>
  9. //#include<linux/netfilter.h>
  10. #include <linux/udp.h>
  11. #include <linux/icmp.h>
  12. #include <linux/tcp.h>
  13.  
  14. MODULE_AUTHOR ("Stormdog");
  15. MODULE_DESCRIPTION ("DDoS protection module");
  16. MODULE_LICENSE ("GPL");
  17.  
  18. #define AttackedPort 0
  19. #define MinePort 25465
  20. #define SuspiciousSize 100
  21. #define MaliciousSize 1500
  22. #define MinePortRes 25565
  23. #define MinePortRes2 25765
  24. #define SshPort 10022
  25.  
  26. static struct nf_hook_ops nfin;
  27.  
  28. static unsigned int
  29. hook_func_in (void *priv, struct sk_buff *skb,
  30.           const struct nf_hook_state *state)
  31. {
  32.   struct ethhdr *eth;
  33.   struct iphdr *ip_header;
  34.   struct tcphdr *tcp_header;    // tcp header struct
  35.   struct udphdr *udp_header;    // udp header struct
  36.   struct sk_buff *sock_buff;
  37.  
  38.   unsigned int sport = 0, dport = 0, size = 0;
  39.  
  40.   sock_buff = skb;
  41.  
  42.   if (!sock_buff)
  43.     {
  44.       printk (KERN_INFO "Not socket buffer\n");
  45.       return NF_ACCEPT;
  46.     }
  47.  
  48.   ip_header = (struct iphdr *) skb_network_header (sock_buff);
  49.   if (!ip_header)
  50.     {
  51.       printk (KERN_INFO "Not IP packet\n");
  52.       return NF_ACCEPT;
  53.     }
  54. //if UDP PACKET
  55.   if (ip_header->protocol == IPPROTO_UDP)
  56.     {
  57.       //udp_header = (struct udphdr *)skb_transport_header(sock_buff); //может вызвать проблемы с распознаванием портов
  58.  
  59.       udp_header = (struct udphdr *) ((__u32 *) ip_header + ip_header->ihl);
  60.  
  61.       sport = htons ((unsigned short int) udp_header->source);  //sport now has the source port
  62.       dport = htons ((unsigned short int) udp_header->dest);    //dport now has the dest port
  63.       size = (unsigned short int) udp_header->len;
  64.      // printk (KERN_INFO "UDP here\n");
  65.     }
  66.   else if (ip_header->protocol == IPPROTO_TCP) //Эту часть можно закомментировать,т.к. атаки идут только по udp
  67.     {
  68.       //tcp_header = (struct tcphdr *)skb_transport_header(sock_buff); //doing the cast this way gave me the same problem
  69.  
  70.       tcp_header = (struct tcphdr *) ((__u32 *) ip_header + ip_header->ihl);    //this fixed the problem
  71.  
  72.       sport = htons ((unsigned int) tcp_header->source);    //sport now has the source port
  73.       dport = htons ((unsigned short int) tcp_header->dest);    //dport now has the dest port
  74.       size = (unsigned short int) tcp_header->window;
  75.     //  printk (KERN_INFO "TCP here\n");
  76.     }
  77.   eth = (struct ethhdr *) skb_mac_header (skb);
  78.   ip_header = (struct iphdr *) skb_network_header (skb);
  79.   //printk (KERN_INFO "src mac %pM, dst mac %pM\n", eth->h_source, eth->h_dest);
  80.   //printk (KERN_INFO "src IP addr: %pI4\n", &ip_header->saddr);
  81.   //printk (KERN_INFO "Dest port: %d, size: %d\n", dport, size);
  82.   if ((dport == AttackedPort) && (size > SuspiciousSize))
  83.     {
  84.       printk (KERN_INFO "Probably attack, dgram dropped. Info: port %d, size: %d\n", dport, size);
  85.       printk (KERN_INFO "src IP addr: %pI4\n", &ip_header->saddr);
  86.       return NF_DROP;
  87.     }
  88.   if ((dport != MinePort) || (dport != MinePortRes) || (dport != MinePortRes2) || (dport != SshPort))
  89.     {
  90.       if (size == MaliciousSize) {
  91.       printk (KERN_INFO "Probably attack, dgram dropped. Info: port %d, size: %d\n", dport, size);
  92.       printk (KERN_INFO "src IP addr: %pI4\n", &ip_header->saddr);
  93.       return NF_DROP;
  94.   }
  95.     }
  96.   return NF_ACCEPT;
  97. }
  98.  
  99. static int __init
  100. init_main (void)
  101. {
  102.   nfin.hook = hook_func_in;
  103.   nfin.hooknum = NF_INET_PRE_ROUTING;
  104.   nfin.pf = PF_INET;
  105.   nfin.priority = NF_IP_PRI_FIRST;
  106.   nf_register_net_hook (&init_net, &nfin);
  107.  
  108.   return 0;
  109. }
  110.  
  111.  
  112.  
  113. static void __exit
  114. cleanup_main (void)
  115. {
  116.   nf_unregister_net_hook (&init_net, &nfin);
  117.  
  118. }
  119.  
  120. module_init (init_main);
  121. module_exit (cleanup_main);
RAW Paste Data Copied