HeXHub • Firewall

	1. HeXHub's firewall (DDoSflt.sys) is a supplement to your existing firewall, so if you have any other firewall don't uninstall or disable it. DDoSflt will not protect you from hacking attempts or from results of executing malware on your computer, and will also not protect you from all denial of service attack types or exploits. Actions of DDoSflt (current version) are simple: restrict rate of SYN packets per opened / closed ports, restrict outgoing ICMP traffic (that would be sent, for example, in case of an UDP flood attack on a port that is not open), detect port scans, filter traffic from banned[0] users and filter DDoS traffic (most common forms of DDoS attacks used against hubs).


2. Possible problems some hub owners had so far:

2.1. All internet traffic is blocked - this happens when one or more other firewalls are installed in the system running HeXHub's firewall, and the other firewalls are blocking all traffic from DDoSflt. This happens if the computer was not restarted since DDoSflt was installed for the first time. Restarting the computer (without unregistering DDoSflt) resolves this problem.
2.2. 'Firewall not loaded' - click "Load driver"
2.3. 'Firewall cannot be loaded in this system' - are you running Windows 95/98 ? If not, post on forum which OS are you running and you will probably get an answer to your problem.
2.4. 'Error opening Service Control Manager database' - login with an account that has administrative privileges and try again.
2.5. 'Error opening service handle' - this happens if you have more than one hub on same host that use the firewall and you clicked "Unregister" in only one of them. To be able to use the firewall you need to close all its opened handles (Unload it from all hubs that use it then try to re-register and reload it).


3. Using DDoSflt in your applications

To use DDoSflt in other programs than HeXHub you need to register it as a system driver (if it's not already registered) then you can obtain a handle to driver by opening a file called \\.\DDoSflt .
Firewall functions can be called with DeviceIoControl (DDoSflt) or FirewallIOCTL (firewall plugins).
IoControl codes (needed for DeviceIoControl) are as following:

0x2220c0 = IOCTL_START
Input: none
Output: none

After loading the driver, call this function to install firewall hook.

0x2220c4 = IOCTL_STOP
Input: none
Output: none

Call this function to disable the firewall without unloading it.

0x2220c8 = IOCTL_DDOSADDIP
Input: a DWORD containing an IP address
Output: none

This function notifies the firewall that a DDoS attack is in progress and adds an IP to DDoS filter. Until IOCTL_DDOSSTOP is called, all traffic from IPs that are in DDoS filter will be filtered.

0x2220cc = IOCTL_DDOSSTOP
Input: none
Output: none

This function notifies the firewall that DDoS attack was stopped, the function will delete the DDoS filter.

0x2220d0 = IOCTL_BAN0
Input: two DWORDs containing an IP range
Output: none

This function sets a ban on an IP range.

0x2220d4 = IOCTL_GETFLT
Input: none
Output: DWORD

This function returns the number of filtered TCP/SYN packets that were sent from IPs found in DDoS filter.

0x2220d8 = IOCTL_REMOVE
Input: two DWORDs containing an IP range
Output: none

Use this function to unban an IP range.

0x2220dc = IOCTL_GETVER
Input: none
Output: DWORD

Use this function to query driver's version. Low byte contains major version number.

0x2220e0 = IOCTL_OPTIONS
Input: a FirewallParametersInfo structure
Output: none

This function will change firewall's parameters (see 4.1.)

0x2220e4 = IOCTL_ADDPORT
Input: a port_info structure
Output: none

This function will register a port used by hub and will set maximum allowed SYN packets / second allowed from all users

0x2220e8 = IOCTL_DELPORT
Input: port value in network byte order
Output: none

This function unregisters a port that was registered using IOCTL_ADDPORT

0x2220ec = IOCTL_GETSTATS
Input: none
Output: a FirewallStatistics structure (see 4.3.)

This function retrieves and resets firewall's statistics

0x2220f0 = IOCTL_PORTSTATS
Input: port value in network byte order
Output: a port_info structure

This function retrieves statistics for specified ports (member synRate of port_info structure will have median SYN packets / second value). Use 0 as port value to get statistics for unregistered ports (a median value for all ports).

0x2220f4 = IOCTL_ABOUT
Input: none
Output: a 512 bytes string

This function returns firewall's version and copyright information as an ASCIIZ string.

0x2220f8 = IOCTL_LOOKUP
Input: two DWORDs containing an IP range
Output: DWORD

This function returns information about an IP range as a combination of flags (one or more bans may be found).
bit 0 = exact IP range was found in banlist
bit 1 = this range is intersected with a banned range
bit 2 = this range is fully included in a bigger range ban
bit 3 = this range fully includes a smaller banned range

0x2220fc = IOCTL_GETCFG
Input: none
Output: a FirewallParametersInfo structure

This function will retrieve current firewall configuration (see 4.1.)

0x222100 = IOCTL_DDOSCNT
Input: none
Output: DWORD

This function retrieves number of IPs in DDoS filter

0x222104 = IOCTL_DDOSFLT
Input: DWORD
Output: DWORD[input_value]

This function returns specified number of IPs from DDoS filter.

0x22210c = IOCTL_GETPROTO
Input: none
Output: 3 tables of 256 dwords each

This function returns IP protocol statistics used by !stats ip. All tables have 256 dwords, the 80-bit protocol identifier is an index in each table. First table contains number of sent packets since last call to IOCTL_CLRPROTO, second table contains number of sent packets and third table contains last IP that send or received last packet.

0x222110 = IOCTL_CLRPROTO
Input: none
Output: none

This function clears protocol statistics tables.

0x222114 = IOCTL_ENUMBANS (DDoSflt 1.07+)
Input: DWORD (a 0-based index in firewall's banlist)
Output: two DWORDs containing an IP range

This function returns an entry from firewall's banlist.


4. Structures used by firewall

4.1. FirewallParametersInfo

typedef struct _FirewallParametersInfo{
WORD pcapFlags; // bit 0 = WinPCap is enabled, bit 1 = detection of adapters was completed (this WORD is not used by version 1.03 of DDoSflt)
WORD pcapAdapters; // mask of enabled / disabled adapters used by WinPCap procedures (this WORD is not used by version 1.03 of DDoSflt)
DWORD pcapTimer; // timeout for capturing packets using WinPCap procedures (not used by version 1.03 of DDoSflt)
BYTE pcapSyn; // maximum number of TCP/SYN packets per second allowed from one IP
BYTE pcapUdp; // maximum number of UDP packets per second allowed from one IP
BYTE pcapIcmp; // maximum number of ICMP packets per second allowed from one IP
BYTE firewallFlags; // bit 0 = firewall is registered
// bit 1 = firewall is started
// bit 2 = maximum SYN/second on hub's registered ports will be checked
// bit 3 = maximum SYN/second on unregistered ports will be checked
// bit 4 = ICMP traffic will be blocked
// bit 5 = TCP/RST packets will not be sent (will be filtered)
// bit 6 = if flood is detected, the application will call the firewall to set a _ban0_ (not used by firewall)
// bit 7 = if flood is detected, a notification message will be sent in opchat (not used by firewall)
WORD hubSyn; // maximum SYN rate allowed for one of registered hub's ports
WORD otherSyn; // maximum SYN rate allowed for non-registered ports
} FirewallParametersInfo;

4.2. port_info

typedef struct _port_info{
WORD port; // port value in network byte order
int synRate; // maximum number of TCP/SYN packets per second allowed from all users
} port_info;

4.3. FirewallStatistics

typedef struct _FirewallStatistics{
syn_str synFlood; // information about last SYN packets received
syn_str udpFlood; // information about last UDP packets received
syn_str icmpFlood; // information about last ICMP packets received
DWORD fltSyn; // number of filtered TCP/SYN packets that were sent from IPs found in DDoS filter
DWORD fltBan; // number of filtered packets sent from banned[0] IPs
DWORD fltPort; // number of filtered SYN packets sent to hub's ports if flood was detected
DWORD pchklast; // internally used by firewall, pointer to a syn_info structure in driver's allocated memory
} FirewallStatistics;

4.4. syn_str

typedef struct _syn_str{
BYTE syn_idx; // index in s_info array
BYTE is_flood; // 0 = no flood was detected
// 1 = flood was detected
// 2 = port scan detected
// 3 = SYN flood was detected
// 4 = UDP flood was detected
// 5 = ICMP flood was detected
DWORD last_ip; // last IP that was detected as flooding
syn_info s_info[20]; // array with information about last packets
} syn_str;

4.5. syn_info

typedef struct _syn_info{
DWORD timer1; // number of milliseconds since firewall was started
DWORD lastIp; // sender's IP (network byte order)
DWORD lastDstIp; // destination IP (network byte order)
DWORD lastPort; // destination port (network byte order)
WORD isFlood; // 0 = no flood was detected, 1 = flood was detected
WORD checkSum; // packet checksum delta (not used by version 1.03)
} syn_info;

Комментарии

There are no comments for this page, you can write one here.