Search code examples
linuxsocketsnetwork-programmingfirewalldenial-of-service

Should source IP address filtering be implemented in the Application layer itself or delegated by Application to the Firewall

Let's say my application has listening UDP socket and it knows from what IP addresses it could receive UDP datagrams. Anything coming from other IP addresses would be considered as malicious datagram and should be discarded as early as possible to prevent DoS attacks. The hard part is that the set of these legit IP addresses can dynamically change over application's life time (ie by dynamically receiving them over control channel).

How would you implement filtering based on the source IP address in the case above?

I see two solutions where to put this source IP filtering logic:

  1. Implement it in the application itself after recvfrom() call.
  2. Install default drop policy in the Firewall and then let the application install Firewall rules that would dynamically whitelist legit IP addresses.

There are pros and cons for each solutions. Some that come to my mind:

  1. iptables could end up with O(n) filtering complexity (con for iptables)
  2. iptables drop packets before they even get to the socket buffer (pro for iptables)
  3. iptables might not be very portable (con for iptables)
  4. iptables from my application could interfere with other applications that potentially would also install iptables rules (con for iptables)
  5. if my application installs iptables rules then it can potentially become attack vector itself (con for iptables)

Where would you implement source IP filtering and why?

Can you name any Applications that follow convention #2 (Administrator manually installing static Firewall rules does not count)?

Solution

  • My recommendation (with absolutely no authority behind it) is to use iptables to do rate-limiting to dampen any DoS attacks and do the actual filtering inside your application. This will give you the least-bad of both worlds, allowing you to use the performance of iptables to limit DoS throughput as well as the ability to change which addresses are allowed without introducing a potential security hole.

    If you do decide to go about it with iptables alone, I would create a new chain to do the application-specific filtering so that the potential for interference is lowered.

    Hope this helps.