Compare commits

..

3 Commits

Author SHA1 Message Date
a0d118b987 Ensure generated code is checked in
All checks were successful
continuous-integration/drone/push Build is passing
2024-04-16 20:09:54 -06:00
e9aefaf8d6 README add/edit 2024-04-16 20:09:37 -06:00
beed9726e3 remove unreferenced macros...
These were previously used while trying to parse out specific headers.  They are no longer required though because the current length bounds checks covers edge cases.
2024-04-16 20:09:01 -06:00
4 changed files with 32 additions and 9 deletions

1
.gitignore vendored
View File

@ -2,4 +2,3 @@ hyp.secret
*.exe *.exe
hypd/hypd hypd/hypd
hyp/hyp hyp/hyp
hypd/server/hyp_bpf_bpfe*

View File

@ -25,14 +25,13 @@ Most port-knocking implementations are susceptible to replay attacks, a network
hyp supports a clock skew of up to 30 seconds between client and server. hyp supports a clock skew of up to 30 seconds between client and server.
### TBD: Protection Against Sweeping Attacks ### Protection Against Sweeping Attacks
~~hyp protects against sweeping attacks where an adversary modulates over the entire port range multiple times by ensuring the authentic knock sequence is strict and ordered correctly. If the first port is guessed, but the next pack arrives and is the incorrect second port in the sequence, the progress gets reset.~~ hyp protects against sweeping attacks where an adversary modulates over the entire port range multiple times by ensuring the authentic knock sequence is strict and ordered correctly. If the first port is guessed, but the next pack arrives and is the incorrect second port in the sequence, the progress gets reset. In addition to this, the correct authentic knock sequence must be entered within 5 seconds of the start of the sequence.
### Known Weaknesses ### Known Weaknesses
* Lossy networks can result in the knock sequence failing * Lossy networks can result in the knock sequence failing
* Networks with latency > 500ms can result in the knock sequence failing if packets arrive out of order
### References ### References

30
hypd/server/README.md Normal file
View File

@ -0,0 +1,30 @@
# hypd server
hypd is the port knocking daemon which runs on an edge device connecting to an untrusted network. Leveraging eBPF's XDP hook point, it extracts header information directly and sends to userspace the specific information required. This method is faster than alternative methods such as using libpcap.
### eBPF
The hyp_bpf.c program can be recompiled using go generate.
```bash
# Debian: sudo apt install git clang linux-headers-amd64 libbpf-dev
go generate .
```
### Generating vmlinux.h
vmlinux.h is included in hyp_bpf.c and can be regenerated with bpftool.
```bash
# Debian: sudo apt install bpftool
sudo bpftool btf dump file /sys/kernel/btf/vmlinux format c > ../headers/vmlinux.h
```
### Building hypd
hypd has no CGO dependencies and so can run on musl systems as well.
```bash
# To ensure it can run on systems don't use CGO
CGO_ENABLED=0 go build .
```

View File

@ -7,12 +7,8 @@ Copyright © 2024 Steven Polley <himself@stevenpolley.net>
#include "bpf_endian.h" #include "bpf_endian.h"
#include <bpf/bpf_helpers.h> #include <bpf/bpf_helpers.h>
char __license[] SEC("license") = "BSD"; char __license[] SEC("license") = "BSD";
#define ETH_P_IP 0x0800
#define IP_FRAGMENTED 65343
// representation of knock data that gets sent to userspace // representation of knock data that gets sent to userspace
struct knock_data { struct knock_data {
__u32 srcip; // 4 bytes __u32 srcip; // 4 bytes
@ -44,7 +40,6 @@ int xdp_prog_func(struct xdp_md *ctx) {
// parse ethernet header // parse ethernet header
struct ethhdr *eth = data; struct ethhdr *eth = data;
if ((void *)eth + sizeof(*eth) <= data_end) { if ((void *)eth + sizeof(*eth) <= data_end) {
// parse IP header // parse IP header
struct iphdr *ip = data + sizeof(*eth); struct iphdr *ip = data + sizeof(*eth);