Skip to content
This repository has been archived by the owner on Dec 7, 2021. It is now read-only.
/ pkpoc-bpf Public archive

Stateful packet processing: port knocking PoC in BPF

License

Notifications You must be signed in to change notification settings

qmonnet/pkpoc-bpf

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Port knocking in eBPF

This is a proof of concept of stateful packet processing with eBPF on Linux. It implements the basics of OpenState abstraction layer for stateful processing, that have been designed as part of the BEBA research project.

Description

Port knocking is a port obfuscation measure that consists in a secret sequence of “knocks” which have to be transmitted to a server before the latter opens a given port, usually SSH, for the client.

Here the experiment creates two network namespaces, a client and a server. The client wants to reach a given server port, here TCP port 9922. It sends the packets of the secret sequence but, before those packets reach the network, they are caught by an eBPF filter installed on the tc (Linux traffic control) hook of the interface. The port knocking occurs at this level: thanks to tables, eBPF can implement the OpenState layer and provide stateful processing for the flow. So if the client sends the correct sequence of packets, the state is set to OPEN and the server sees traffic on its port 9922. Otherwise, all packets are dropped at the client's interface.

The idea behind this PoC is to explore eBPF's stateful capabilities, and to integrate it, at a later stage, in a BPF version of a full BEBA switch.

Requirements

This works only on a Linux system, with a recent kernel. To run this proof of concept, one first needs to install the bcc set of tools. Detailed instructions are available from here.

Running the proof of concept

Get the code:

git clone https://github.com/qmonnet/pkpoc-bpf.git

Launch the experiment:

root# cd ./pkpoc-bpf
root# python pk_launcher.py portknocking.c ebpf_filter
[Client] Sending p1...
[Client] Sending p2...
[Client] Sending p3...
[Client] Sending p4...
[Server] Received message:  [p4]
[Client] Sending p5...
[Server] Received message:  [p5]
[Client] Sending p6...
[Server] Received message:  [p6]
Finished.

While the experiment is running, you can launch a packet capture with tcpdump in another terminal with the command below. Note that you must wait for the server namespace to be created by the Python script before launching the command, or it will fail.

root# ip netns exec server tcpdump -vvv -e -XX -i eth0 src 10.0.2.100

Captured packets seem to appear only on termination (through CTRL-C) of the command.

License

File simulation.py comes from the bcc set of tools. As such, it is Copyright 2015 PLUMgrid, and is released under the Apache License, version 2.0.

The other files in this repository are Copyright 6WIND S.A., and are released under the 3-clause BSD license.

Resources

About

Stateful packet processing: port knocking PoC in BPF

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published