This is to introduce the new nScrub 1.4 stable.
Besides a few bug fixes (mainly to the API) this release introduces many improvements, including:
- Full IPv6 support both in routing and bridge mode.
- Improved TCP protection, it is now possible to use SYN Proxy in asymmetric mode.
- Hardware bypass with watchdog support as failover mechanism in case of system failures or to handle maintenance.
- New plugins SDK to easily extend the core engine with custom protection algorithms.
- Native systemd support for multiple instances to handle multiple network segments.
- Support for Ubuntu 18, Debian 10, CentOS 8.
We are quite sure you will like and take advantage of every little improvement we made in this release. Enjoy!
Changelog
-
Engine
- Support for IPv6 neigh table
- Support for IPv6 routing table
- Pure SYN Cookie with encryption is used when in SYN Proxy mode is selected in asymmetric mode
- More event types in event notification, sending notificaitons when an event terminates, added the ‘status’ field to the events
- Full bypass support in routing mode
- Uniq event identifier
- Added options to use different ports for transmission (this is needed by Napatech as streams are RX only), Napatech is supported in transparent bridge only
- TCP flags sanity check happens only if there is any 3whs check enabled
- Hardware bypass watchdog support, integration with Silicom hw bypass adapters
- Automatically setting hw bypass (if any) on application shutdown
- Introduced HSP service type (Generic Hosting Service Provider)
-
Plugins
- New SDK (sample plugin available to get started)
- Traffic blocking with pre/post hooks
- Ability to inject packets
- Inspection of both WAN and LAN traffic
- Callback called on SIGUSR1 for reloading the configuration
- Plugins stats (pre/post discard/forward counters) in the target stats
-
API
- API to discard http requests which are not matching a list of hostnames
- API to purge all targets
- API to print the full list of global VLAN mappings
- API to set a limit to the IP whitelist to engage session whitelisting automatically
- API to control the TCP check engage
- API to drop TCP SYN packets with payload
- API to set max DNS subdomain length (block watertorture)
- API to drop TCP SYN with no options
- API to purge all attackers (and delete all lists)
- API and cli command to set the WAN/LAN interface IP address (required with DPDK TAP interfaces in routing mode)
- Support for subnets without mask
- Target stats now supports regex to select targets
- Add bytes stats per protocol per target
- wl_threshold: automatically turn off when IP whitelist size comes back below the threshold
- Add gateway mac address to the arp table returned via REST
- Added ability to overwrite the default virtual scrubber 0.0.0.0/0 – 0::0/0
- Dynamic purge fix
- Attacker search optimizations
- Attackers list pagination, added list size when listing lists
- String patterns removal using the ‘-‘ special char
- Add discard reason to target stats
- Fixed lists counters
- Fix all lists purging
- Stats fixes
-
Tools
- New nscrub-bl to manage blacklists
- nscrub-cli
- History now keeps also wrong commands
- Add new command to load list from file in nscrub-cli
- Load lists in batch mode
- Fix integer parameters
- nscrub-export reworked and improved options
- Full configuration backup/restore
- Add -i option to select the nscrub instance
-
Packages
- New Ubuntu 18 package
- New Debian 10 package
- New CentOS 8 package
-
Misc
- Systemd support for multiple nscrub instances
- The nscrub service is now ‘PartOf’ the pf_ring service
- Running nscrub as ‘nscrub’ by default, and falling back to nobody if it does not exist