Introducing nScrub 1.4 with IPv6 Support

Posted · Add Comment

This is to introduce the new nScrub 1.4 stable.

Besides a few bug fixes (mainly to the API) this release introduces many improvements, including:

  • Full IPv6 support both in routing and bridge mode.
  • Improved TCP protection, it is now possible to use SYN Proxy in asymmetric mode.
  • Hardware bypass with watchdog support as failover mechanism in case of system failures or to handle maintenance.
  • New plugins SDK to easily extend the core engine with custom protection algorithms.
  • Native systemd support for multiple instances to handle multiple network segments.
  • Support for Ubuntu 18, Debian 10, CentOS 8.

We are quite sure you will like and take advantage of every little improvement we made in this release. Enjoy!

Changelog

  • Engine

    • Support for IPv6 neigh table
    • Support for IPv6 routing table
    • Pure SYN Cookie with encryption is used when in SYN Proxy mode is selected in asymmetric mode
    • More event types in event notification, sending notificaitons when an event terminates, added the ‘status’ field to the events
    • Full bypass support in routing mode
    • Uniq event identifier
    • Added options to use different ports for transmission (this is needed by Napatech as streams are RX only), Napatech is supported in transparent bridge only
    • TCP flags sanity check happens only if there is any 3whs check enabled
    • Hardware bypass watchdog support, integration with Silicom hw bypass adapters
    • Automatically setting hw bypass (if any) on application shutdown
    • Introduced HSP service type (Generic Hosting Service Provider)

  • Plugins

    • New SDK (sample plugin available to get started)
    • Traffic blocking with pre/post hooks
    • Ability to inject packets
    • Inspection of both WAN and LAN traffic
    • Callback called on SIGUSR1 for reloading the configuration
    • Plugins stats (pre/post discard/forward counters) in the target stats

  • API

    • API to discard http requests which are not matching a list of hostnames
    • API to purge all targets
    • API to print the full list of global VLAN mappings
    • API to set a limit to the IP whitelist to engage session whitelisting automatically
    • API to control the TCP check engage
    • API to drop TCP SYN packets with payload
    • API to set max DNS subdomain length (block watertorture)
    • API to drop TCP SYN with no options
    • API to purge all attackers (and delete all lists)
    • API and cli command to set the WAN/LAN interface IP address (required with DPDK TAP interfaces in routing mode)
    • Support for subnets without mask
    • Target stats now supports regex to select targets
    • Add bytes stats per protocol per target
    • wl_threshold: automatically turn off when IP whitelist size comes back below the threshold
    • Add gateway mac address to the arp table returned via REST
    • Added ability to overwrite the default virtual scrubber 0.0.0.0/0 – 0::0/0
    • Dynamic purge fix
    • Attacker search optimizations
    • Attackers list pagination, added list size when listing lists
    • String patterns removal using the ‘-‘ special char
    • Add discard reason to target stats
    • Fixed lists counters
    • Fix all lists purging
    • Stats fixes

  • Tools

    • New nscrub-bl to manage blacklists
    • nscrub-cli
      • History now keeps also wrong commands
      • Add new command to load list from file in nscrub-cli
      • Load lists in batch mode
      • Fix integer parameters
    • nscrub-export reworked and improved options
      • Full configuration backup/restore
      • Add -i option to select the nscrub instance

  • Packages

    • New Ubuntu 18 package
    • New Debian 10 package
    • New CentOS 8 package

  • Misc

    • Systemd support for multiple nscrub instances
    • The nscrub service is now ‘PartOf’ the pf_ring service
    • Running nscrub as ‘nscrub’ by default, and falling back to nobody if it does not exist