Make use of any IP address from a prefix that is routed to your machine.
With the introduction of IPv6 single machines often get prefixes with more than one IP address assigned. However, without AnyIP and socket freebinding, many applications lack support to dynamically bind to arbitrary unconfigured addresses within these prefixes. Freebind enables the IP_FREEBIND socket option by hooking into
socket library calls using
IPv6 services employing rate limiting often ban per /128 or per /64 in order to minimize collateral damage. If you have a statically routed prefix that is smaller than the prefix being banned, you can make use of freebind, which will bind sockets to random IP addresses from specified prefixes.
cd into the git repository, then run
make install. In order for
packetrand to be built successfully,
libnetfilter-queue-dev is required.
Assume your ISP has assigned the subnet
2a00:1450:4001:81b::/64 to your server. In order to make use of freebinding, you first need to configure the Linux AnyIP kernel feature in order to be able to bind a socket to an arbitrary IP address from this subnet as follows:
ip -6 route add local 2a00:1450:4001:81b::/64 dev lo
Having set up AnyIP, the following command will bind wget's internal socket to a random address from the specified subnet:
freebind -r 2a00:1450:4001:81b::/64 wget -qO- ipv6.wtfismyip.com/text
In practice, running this command multiple times will yield a new IP address every time.
freebind program is only suitable for assigning one IP address per socket. It will not assign a random IP address per packet. Therefore,
packetrand making use of the netfilter API is included for use in scenarios that require a fresh IP address per outgoing packet.
Imagine you want to randomize source addresses for DNS resolving. The following command has
iptables pass outgoing DNS packets to the
packetrand userspace program:
ip6tables -I OUTPUT -j NFQUEUE -p udp --dport 53 --queue-num 0 --queue-bypass ip6tables -I INPUT -j NFQUEUE -p udp --sport 53 --queue-num 0 --queue-bypass
packetrand daemon could be invoked as follows, where 0 is the netfilter queue number:
packetrand 0 2a00:1450:4001:81b:: 2a00:1450:4001:81b::/64
This will cause
packetrand to rewrite the source address of outgoing packets to a random address from the specified prefix and translate back the destination address of incoming packets to
2a00:1450:4001:81b:: which is supposed to be the address which the socket is bound to.
You can use the
-r switch in order to randomize source ports per packet.
packetrand 0 -r 53
In this case, all outgoing UDP packets that are handled by the queue have their source port randomized and 53 is the port number for incoming packets to be rewritten to.
The application will only work if your internet service provider provides you with a routed prefix.