{"id":17156547,"url":"https://github.com/blechschmidt/freebind","last_synced_at":"2025-04-09T15:06:43.338Z","repository":{"id":40284484,"uuid":"83902367","full_name":"blechschmidt/freebind","owner":"blechschmidt","description":"IPv6 address rate limiting evasion tool (that also supports IPv4)","archived":false,"fork":false,"pushed_at":"2023-12-15T18:40:29.000Z","size":53,"stargazers_count":245,"open_issues_count":0,"forks_count":21,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-04-09T15:06:39.868Z","etag":null,"topics":["anyip","evasion","freebind","ip-rate-limit","ipv4","ipv4-address","ipv6","ipv6-address","rate-limit","rate-limiting","socket","subnet"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/blechschmidt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-03-04T15:15:48.000Z","updated_at":"2025-04-07T04:40:53.000Z","dependencies_parsed_at":"2023-12-15T20:15:58.388Z","dependency_job_id":null,"html_url":"https://github.com/blechschmidt/freebind","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blechschmidt%2Ffreebind","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blechschmidt%2Ffreebind/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blechschmidt%2Ffreebind/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blechschmidt%2Ffreebind/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/blechschmidt","download_url":"https://codeload.github.com/blechschmidt/freebind/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248055284,"owners_count":21040157,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anyip","evasion","freebind","ip-rate-limit","ipv4","ipv4-address","ipv6","ipv6-address","rate-limit","rate-limiting","socket","subnet"],"created_at":"2024-10-14T22:06:45.166Z","updated_at":"2025-04-09T15:06:43.312Z","avatar_url":"https://github.com/blechschmidt.png","language":"C","readme":"# Freebind\nMake use of any IP address from a prefix that is routed to your machine.\n\nWith the introduction of IPv6, single machines often get prefixes with more than one IP address assigned. However, without AnyIP and socket freebinding, many applications lack support to dynamically bind to arbitrary unconfigured addresses within these prefixes. Freebind enables the [IP\\_FREEBIND](http://man7.org/linux/man-pages/man7/ip.7.html) socket option by hooking into `socket` library calls using `LD_PRELOAD`.\n\nIPv6 services employing rate limiting often ban per /128 or per /64 in order to minimize collateral damage. If you have a statically routed prefix that is smaller than the prefix being banned, you can make use of freebind, which will bind sockets to random IP addresses from specified prefixes.\n\n## Usage\n### Installing\nClone and `cd` into the git repository, then run `make install`. In order for `packetrand` to be built successfully, `libnetfilter-queue-dev` is required.\n### Setup\nAssume your ISP has assigned the subnet `2a00:1450:4001:81b::/64` to your server. In order to make use of freebinding, you first need to configure the [Linux AnyIP kernel feature](https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ab79ad14a2d51e95f0ac3cef7cd116a57089ba82) in order to be able to bind a socket to an arbitrary IP address from this subnet as follows:\n\n```\nip -6 route add local 2a00:1450:4001:81b::/64 dev lo\n```\n\n### Example\nHaving set up AnyIP, the following command will bind wget's internal socket to a random address from the specified subnet:\n```\nfreebind -r 2a00:1450:4001:81b::/64 -- wget -qO- ipv6.wtfismyip.com/text\n```\nIn practice, running this command multiple times will yield a new IP address every time.\n\n#### Crawling with curl\nYou can use new versions of curl (tested with 7.87.0) with freebind to bypass web server rate limits as follows:\n```\nfreebind -r 2a00:1450:4001:81b::/64 -- curl --http1.1 -6 -H \"Connection: close\" --parallel --parallel-immediate --parallel-max 100 --config config.txt\n```\nIn the above example, `config.txt` contains the URLs you wish to crawl in the curl config format, e.g. `url = \"https://ipv6.wtfismyip.com/text\"`. Consult the curl man page for more information on the format. Since curl cannot be explicitly configured to use a new socket for each request, we leverage the `Connection: close` header, which is only supported by HTTP/1.1. Alternatively, HTTP/1.0 could be used.\n\nNote that freebind does not work with statically linked binaries in general, including those that can be downloaded from the curl website.\n\n### UDP per packet randomization\nThe `freebind` program is only suitable for assigning one IP address per socket. It will not assign a random IP address per packet. Therefore, `packetrand` making use of the netfilter API is included for use in scenarios that require a fresh IP address per outgoing packet.\n\n#### Setup\nImagine you want to randomize source addresses for DNS resolving. The following command has `iptables` pass outgoing DNS packets to the `packetrand` userspace program:\n```\nip6tables -I OUTPUT -j NFQUEUE -p udp --dport 53 --queue-num 0 --queue-bypass\nip6tables -I INPUT -j NFQUEUE -p udp --sport 53 --queue-num 0 --queue-bypass\n```\nAfterwards, the `packetrand` daemon could be invoked as follows, where 0 is the netfilter queue number:\n```\npacketrand 0 2a00:1450:4001:81b:: 2a00:1450:4001:81b::/64\n```\nThis will cause `packetrand` to rewrite the source address of outgoing packets to a random address from the specified prefix and translate back the destination address of incoming packets to `2a00:1450:4001:81b::` which is supposed to be the address which the socket is bound to.\n\n#### Source port randomization\nYou can use the `-r` switch in order to randomize source ports per packet.\n```\npacketrand 0 -r 53\n```\nIn this case, all outgoing UDP packets that are handled by the queue have their source port randomized and 53 is the port number for incoming packets to be rewritten to.\n\n#### Limitations\n- IPv6 extension headers are not yet supported\n\n### Notes\nThe application will only work if your internet service provider provides you with a routed prefix.\n\n## References\n- [The scary state of IPv6 rate-limiting, A. Pritchard, 2022](https://adam-p.ca/blog/2022/02/ipv6-rate-limiting/)\n- [Exploring The State of Rate Limiting in IPv6, P. Heijningen, 2023](http://essay.utwente.nl/96014/1/van%20Heijningen_BA_EEMCS.pdf)\n- [Hack Red Con 2023 - Abusing IPv6 on the Public Internet, TheTechRomancer](https://youtu.be/6ibqE2Il1R8?t=835)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblechschmidt%2Ffreebind","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fblechschmidt%2Ffreebind","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblechschmidt%2Ffreebind/lists"}