1

I'm trying code TCP server in C language. I just noticed accept() function returns when connection is already established.

Some clients are flooding with random data some clients are just sending random data for one time, after that I want to close their's current connection and future connections for few minutes (or more, depends about how much load program have).

I can save bad client IP addresses in a array, can save timings too but I cant find any function for abort current connection or deny future connections from bad clients.

I found a function for windows OS called WSAAccept that allows you deny connections by user choice, but I don't use windows OS.

I tried code raw TCP server which allows you access TCP packet from begin including all TCP header and it doesn't accept connections automatically. I tried handle connections by program side including SYN ACK and other TCP signals. It worked but then I noticed raw TCP server receiving all packets in my network interface, when other programs using high traffic it makes my program laggy too.

I tried use libnetfilter which allows you filter whole traffic in your network interface. It works too but like raw TCP server it also receiving whole network interface's packets which is making it slow when there is lot of traffic. Also I tried compare libnetfilter with iptables. libnetfilter is slower than iptables.

So in summary how I can abort client's current and future connection without hurt other client connections?

I have linux with debian 10.

jww
  • 97,681
  • 90
  • 411
  • 885
dawdawdddwq
  • 19
  • 3
  • 1
    I believe the solution you are looking for is the kernel's packet filter. Also see the [Packet Filtering HowTo](https://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-3.html) and [How can I programmatically manage iptables rules on the fly?](https://stackoverflow.com/q/109553/608639) (and friends). – jww Sep 10 '19 at 14:37
  • Packet filtering is very slow since it handles whole interface not only my server's TCP port. Also `iptables` commands with `system()` calls is very dirty and much effortful to code. @jww – dawdawdddwq Sep 10 '19 at 14:44
  • Look up libiptc. – Shawn Sep 10 '19 at 14:55
  • Possible duplicate of [Refusing connection from a host](https://stackoverflow.com/questions/1116225/refusing-connection-from-a-host) – matteo martelli Sep 10 '19 at 15:12
  • I'll check libiptc soon. @matteomartelli question is kinda same but that thread doesn't have answer what I looking for. – dawdawdddwq Sep 10 '19 at 15:26
  • Have a look at `fail2ban`. It can easily be configured to dynamically blacklist IP addresses with an external feed. – David Schwartz Sep 10 '19 at 18:57

1 Answers1

1

Once you do blacklisting on packet level you could get very fast vulnerable to very trivial attacks based on IP spoofing. For a very basic implementation an attacker could use your packet level blacklisting to blacklist anyone he wants by just sending you many packets with a fake source IP address. Usually you don't want to touch these filtering (except you really know what you are doing) and you just trust your firewall etc. .

So I recommend really just to close the file descriptor immediately after getting it from accept.

ezegoing
  • 526
  • 1
  • 4
  • 18