Skip to content

firewall: add IP blacklisting for ping flood attacks#1731

Merged
brianmcgillion merged 1 commit intotiiuae:mainfrom
enesoztrk:fix/ping-flood-blacklisting
Feb 11, 2026
Merged

firewall: add IP blacklisting for ping flood attacks#1731
brianmcgillion merged 1 commit intotiiuae:mainfrom
enesoztrk:fix/ping-flood-blacklisting

Conversation

@enesoztrk
Copy link
Copy Markdown
Contributor

@enesoztrk enesoztrk commented Feb 6, 2026
edited
Loading

Description of Changes

  • Fix ping flood protection to actually blacklist attacker IPs instead of just rate-limiting
  • Skip duplicate log entries for already blacklisted IPs

Type of Change

  • New Feature
  • Bug Fix
  • Improvement / Refactor

Related Issues / Tickets

https://jira.tii.ae/browse/SSRCSP-7605

Checklist

  • Clear summary in PR description
  • Detailed and meaningful commit message(s)
  • Commits are logically organized and squashed if appropriate
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • Author has run make-checks and it passes
  • All automatic GitHub Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

  • Orin AGX aarch64
  • Orin NX aarch64
  • Lenovo X1 x86_64
  • Dell Latitude x86_64
  • System 76 x86_64

Installation Method

  • Requires full re-installation
  • Can be updated with nixos-rebuild ... switch
  • Other:

Test Steps To Verify:

  1. ...

@enesoztrk enesoztrk marked this pull request as ready for review February 6, 2026 06:59
@enesoztrk enesoztrk added the Needs Testing CI Team to pre-verify label Feb 6, 2026
@leivos-unikie
Copy link
Copy Markdown
Contributor

leivos-unikie commented Feb 6, 2026
edited
Loading

Tested on Lenovo-X1, ghaf booted from USB SSD

  • Ping flooding triggers blacklisting of the attacker IP
  • Monitored logging: [ghaf@net-vm:~]$ journalctl -f
  • Checked that "Blacklist [add]..." is not logged if the attacking IP is already blacklisted.
  • "Packet [ban]..." logs appear at each attack both for new and previously blacklisted IPs.

Switched to release variant by running
sudo nixos-rebuild --flake .#lenovo-x1-carbon-gen11-release switch
on ghaf-host in branch enesoztrk:fix/ping-flood-blacklisting

Rebooted Lenovo-X1

Tested ping flooding: got reply to all pings, IP blacklisting is still not working in ghaf-release variant
(https://jira.tii.ae/browse/SSRCSP-7605)

[nix-shell:/home/leivos]# sudo hping3 -S -p 22 -i u10000 -c 20 192.168.1.36
HPING 192.168.1.36 (wlp0s20f3 192.168.1.36): S set, 40 headers + 0 data bytes
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=1 win=0 rtt=48.6 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=0 win=0 rtt=58.8 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=2 win=0 rtt=38.5 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=5 win=0 rtt=7.8 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=3 win=0 rtt=28.3 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=4 win=0 rtt=18.1 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=6 win=0 rtt=3.8 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=7 win=0 rtt=2.4 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=8 win=0 rtt=3.3 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=9 win=0 rtt=3.0 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=10 win=0 rtt=9.1 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=11 win=0 rtt=4.9 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=12 win=0 rtt=10.6 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=13 win=0 rtt=4.4 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=14 win=0 rtt=11.3 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=15 win=0 rtt=3.2 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=16 win=0 rtt=3.0 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=17 win=0 rtt=2.9 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=18 win=0 rtt=4.8 ms
len=40 ip=192.168.1.36 ttl=64 DF id=0 sport=22 flags=RA seq=19 win=0 rtt=4.5 ms

--- 192.168.1.36 hping statistic ---
20 packets tramitted, 20 packets received, 0% packet loss
round-trip min/avg/max = 2.4/13.6/58.8 ms

@leivos-unikie leivos-unikie added bug on Lenovo X1 Carbon Issues found on Lenovo X1 Carbon while checking this PR and removed Needs Testing CI Team to pre-verify labels Feb 6, 2026
@enesoztrk
firewall: add IP blacklisting for ping flood attacks
33d92e8 
Signed-off-by: Enes Öztürk <enes.ozturk@unikie.com>
@enesoztrk enesoztrk force-pushed the fix/ping-flood-blacklisting branch from 4aad8ab to 33d92e8 Compare February 9, 2026 08:34
@leivos-unikie
Copy link
Copy Markdown
Contributor

leivos-unikie commented Feb 9, 2026

Both debug and release variant ghaf was properly blacklisting "attacker" after 11 regular pings but probing port 22 with tcp syn packets (hping3 -S -p 22) was restricted only in debug variant.

Tested now that both ping and tcp syn packet probing triggers blacklisting in release variant (as with the debug variant).

@leivos-unikie leivos-unikie added Tested on Lenovo X1 Carbon This PR has been tested on Lenovo X1 Carbon and removed bug on Lenovo X1 Carbon Issues found on Lenovo X1 Carbon while checking this PR labels Feb 9, 2026
@brianmcgillion brianmcgillion merged commit b923905 into tiiuae:main Feb 11, 2026
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brianmcgillion brianmcgillion brianmcgillion approved these changes

@mbssrc mbssrc Awaiting requested review from mbssrc

@vunnyso vunnyso Awaiting requested review from vunnyso

Assignees

No one assigned

Labels

Tested on Lenovo X1 Carbon This PR has been tested on Lenovo X1 Carbon

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@enesoztrk @leivos-unikie @brianmcgillion