From e9aefaf8d62419b7fc1b64a6bb3b8d5e0ffb285e Mon Sep 17 00:00:00 2001 From: Steven Polley Date: Tue, 16 Apr 2024 20:09:37 -0600 Subject: [PATCH] README add/edit --- README.md | 5 ++--- hypd/server/README.md | 30 ++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 3 deletions(-) create mode 100644 hypd/server/README.md diff --git a/README.md b/README.md index f2dabd5..b57adf0 100644 --- a/README.md +++ b/README.md @@ -25,14 +25,13 @@ Most port-knocking implementations are susceptible to replay attacks, a network hyp supports a clock skew of up to 30 seconds between client and server. -### TBD: Protection Against Sweeping Attacks +### Protection Against Sweeping Attacks -~~hyp protects against sweeping attacks where an adversary modulates over the entire port range multiple times by ensuring the authentic knock sequence is strict and ordered correctly. If the first port is guessed, but the next pack arrives and is the incorrect second port in the sequence, the progress gets reset.~~ +hyp protects against sweeping attacks where an adversary modulates over the entire port range multiple times by ensuring the authentic knock sequence is strict and ordered correctly. If the first port is guessed, but the next pack arrives and is the incorrect second port in the sequence, the progress gets reset. In addition to this, the correct authentic knock sequence must be entered within 5 seconds of the start of the sequence. ### Known Weaknesses * Lossy networks can result in the knock sequence failing -* Networks with latency > 500ms can result in the knock sequence failing if packets arrive out of order ### References diff --git a/hypd/server/README.md b/hypd/server/README.md new file mode 100644 index 0000000..01d0124 --- /dev/null +++ b/hypd/server/README.md @@ -0,0 +1,30 @@ +# hypd server + +hypd is the port knocking daemon which runs on an edge device connecting to an untrusted network. Leveraging eBPF's XDP hook point, it extracts header information directly and sends to userspace the specific information required. This method is faster than alternative methods such as using libpcap. + +### eBPF + +The hyp_bpf.c program can be recompiled using go generate. + +```bash +# Debian: sudo apt install git clang linux-headers-amd64 libbpf-dev +go generate . +``` + +### Generating vmlinux.h + +vmlinux.h is included in hyp_bpf.c and can be regenerated with bpftool. + +```bash +# Debian: sudo apt install bpftool +sudo bpftool btf dump file /sys/kernel/btf/vmlinux format c > ../headers/vmlinux.h +``` + +### Building hypd + +hypd has no CGO dependencies and so can run on musl systems as well. + +```bash +# To ensure it can run on systems don't use CGO +CGO_ENABLED=0 go build . +``` \ No newline at end of file