Discussion:
Limit the number of Router Advertisements processed on an interface
(too old to reply)
Dheeraj Kandula
3 years ago
Permalink
Hi All,
Is it possible to limit the number of Router Advertisements that will
be processed on an interface or on a Linux device as a whole (either
granularity is fine)?
*For example*, if an interface receives more than 200 RAs within a time
interval, only the first 200 will be processed.

There are sysctls to *disable* RA completely. i.e.
net.ipv6.conf.default.accept_ra=0,

Disable processing Default routes: net.ipv6.conf.default.accept_ra_defrtr=0

Disable processing Prefix: net.ipv6.conf.default.accept_ra_pinfo=0.

But I want to enable the above 3 functionalities but limit the number of
them being processed.

*Why?*
This is to avoid DOS attacks using RAs from being bombarded onto a linux
machine.

Dheeraj
Marc Haber
3 years ago
Permalink
Post by Dheeraj Kandula
This is to avoid DOS attacks using RAs from being bombarded onto a linux
machine.
You have malicious users on your LAN and cannot do anything against
them?

(RAs are link local communication and should not pass over routers,
thus, RAs must originate in the local network).

Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Dheeraj Kandula
3 years ago
Permalink
Thanks Marc. This is a requirement.

Thus I will conclude that the kernel doesn't limit the number of RAs. I
have to figure out a way to do this from user space.

Dheeraj
...
Dheeraj Kandula
3 years ago
Permalink
Does a Linux machine know that a Router Advertisement didn't come from a
default router?

I tried to send 2 RA packets using Scapy with the destination as ff02::1.
One packet I sent using the source address of the default router, while the
other using a lower LLA.

The default routes were not generated. How did Linux figure it out? Is
there a way to know the errors that were hit? I don't know where the
"ND_PRINTK" outputs go for the function "ndisc_router_discovery". How do I
enable tracing for ND prints. I looked into "dmesg" but there were no logs
there.


Dheeraj
...
Michael Richardson
3 years ago
Permalink
Post by Dheeraj Kandula
*Why?*
This is to avoid DOS attacks using RAs from being bombarded onto a linux
machine.
Well, you might be able to rate limit them with ip6tables/nftables, but I see
no point in only listening to the first X of them. You might as well just
disable them and configure a static IPv6.

You should also check out "RAGuard" functionality on your L2 switch.
RFC6105.
Loading...