added docker compose files for the experiment infrastructure

2025-05-22 16:39:01 +02:00 · 2025-05-22 16:39:01 +02:00 · 3a17003bfd
commit 3a17003bfd
parent 9841dffb82
16 changed files with 152 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -100,3 +100,11 @@ service should be publicly visible under the domain
 through the TOR network about every 10 seconds. If you
 used the `http.server` example, a directory listing should
 be visible on that domain.
+
+## Some Related Work
+
+[We Built This Circuit: Exploring Threat Vectors in Circuit Establishment in Tor](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9581198)
+
+[Point Break: A Study of Bandwidth Denial-of-Service Attacks against Tor](https://www.usenix.org/system/files/sec19-jansen.pdf)
+
+[TagIt: Tagging Network Flows using Blind Fingerprints](https://petsymposium.org/popets/2017/popets-2017-0050.pdf)
--- a/experiment-infra/guard/Dockerfile
+++ b/experiment-infra/guard/Dockerfile
@ -0,0 +1,4 @@
+FROM debian:bookworm
+RUN apt update && apt -y install tor
+COPY ./torrc /etc/tor/torrc
+CMD [ "tor" ]
--- a/experiment-infra/guard/docker-compose.yml
+++ b/experiment-infra/guard/docker-compose.yml
@ -0,0 +1,17 @@
+services:
+  wireguard:
+    build: ../wireguard
+    cap_add:
+      - NET_ADMIN
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+    secrets:
+      - wg-config
+  
+  guard:
+    build: ./
+    network_mode: "service:wireguard"
+
+secrets:
+  wg-config:
+    file: ./wireguard.conf
--- a/experiment-infra/guard/torrc
+++ b/experiment-infra/guard/torrc
@ -0,0 +1,8 @@
+AssumeReachable 1
+PublishServerDescriptor 0
+ORPort 10.2.0.3:443
+Nickname localtestrelay
+RelayBandwidthRate 1 MB
+RelayBandwidthBurst 2 MB
+# ORPort 10.2.0.3:443 NoAdvertise
+# Address 10.2.0.3
--- a/experiment-infra/guard/wireguard.conf
+++ b/experiment-infra/guard/wireguard.conf
@ -0,0 +1,10 @@
+[Interface]
+Address = 10.2.0.3/24
+PrivateKey = <censored>
+MTU = 1000
+
+[Peer]
+PublicKey = <censored>
+AllowedIps = 10.2.0.0/24
+Endpoint = vanrissenbeck.com:41415
+PersistentKeepalive = 10
--- a/experiment-infra/proxy/Dockerfile
+++ b/experiment-infra/proxy/Dockerfile
@ -0,0 +1,7 @@
+FROM alpine:latest
+RUN apk add openssh
+RUN ssh-keygen -A && \
+    sed -i 's/GatewayPorts no/GatewayPorts yes/' /etc/ssh/sshd_config && \
+    sed -i 's/AllowTcpForwarding no/AllowTcpForwarding yes/' /etc/ssh/sshd_config && \
+    printf "<censored>\n<censored>\n" | adduser anon
+CMD [ "/usr/sbin/sshd", "-D" ]
--- a/experiment-infra/proxy/docker-compose.yml
+++ b/experiment-infra/proxy/docker-compose.yml
@ -0,0 +1,19 @@
+services:
+  wireguard:
+    build: ../wireguard
+    cap_add:
+      - NET_ADMIN
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+    secrets:
+      - wg-config
+    ports:
+      - 2222:22
+  
+  proxy:
+    build: ./
+    network_mode: "service:wireguard"
+
+secrets:
+  wg-config:
+    file: ./wireguard.conf
--- a/experiment-infra/proxy/wireguard.conf
+++ b/experiment-infra/proxy/wireguard.conf
@ -0,0 +1,10 @@
+[Interface]
+Address = 10.2.0.4/24
+PrivateKey = <censored>
+MTU = 1000
+
+[Peer]
+PublicKey = <censored>
+AllowedIps = 10.2.0.0/24
+Endpoint = vanrissenbeck.com:41415
+PersistentKeepalive = 10
--- a/experiment-infra/victim/Dockerfile
+++ b/experiment-infra/victim/Dockerfile
@ -0,0 +1,8 @@
+FROM debian:bookworm
+RUN apt update && apt -y install tor curl wireguard-tools
+COPY ./torrc /etc/tor/torrc
+COPY --chmod=700 ./entrypoint.sh /entrypoint.sh
+COPY --chmod=700 ./script.sh /script.sh
+ENV TARGET="https://rsca.vanrissenbeck.com"
+ENTRYPOINT [ "/entrypoint.sh" ]
+CMD [ "/script.sh" ]
--- a/experiment-infra/victim/docker-compose.yml
+++ b/experiment-infra/victim/docker-compose.yml
@ -0,0 +1,17 @@
+services:
+  wireguard:
+    build: ../wireguard
+    cap_add:
+      - NET_ADMIN
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+    secrets:
+      - wg-config
+
+  victim:
+    build: ./
+    network_mode: "service:wireguard"
+
+secrets:
+  wg-config:
+    file: ./wireguard.conf
--- a/experiment-infra/victim/entrypoint.sh
+++ b/experiment-infra/victim/entrypoint.sh
@ -0,0 +1,3 @@
+#!/bin/bash
+tor &
+exec "$@"
--- a/experiment-infra/victim/script.sh
+++ b/experiment-infra/victim/script.sh
@ -0,0 +1,9 @@
+#!/bin/bash
+
+while [ true ];
+do
+    printf "Fetching from $TARGET."
+    curl --silent --socks5 127.0.0.1:9050 $TARGET > /dev/null;
+    echo " Ok."
+    sleep 10;
+done;
--- a/experiment-infra/victim/torrc
+++ b/experiment-infra/victim/torrc
@ -0,0 +1,3 @@
+Bridge 10.2.0.3:443
+UseBridges 1
+StrictNodes 1
--- a/experiment-infra/victim/wireguard.conf
+++ b/experiment-infra/victim/wireguard.conf
@ -0,0 +1,10 @@
+[Interface]
+Address = 10.2.0.2/24
+PrivateKey = <censored>
+MTU = 1000
+
+[Peer]
+PublicKey = <censored>
+AllowedIps = 10.2.0.0/24
+Endpoint = vanrissenbeck.com:41415
+PersistentKeepalive = 10
--- a/experiment-infra/wireguard/Dockerfile
+++ b/experiment-infra/wireguard/Dockerfile
@ -0,0 +1,5 @@
+FROM alpine:latest
+RUN apk add wireguard-tools iptables
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+CMD [ "/entrypoint.sh" ]
--- a/experiment-infra/wireguard/entrypoint.sh
+++ b/experiment-infra/wireguard/entrypoint.sh
@ -0,0 +1,14 @@
+#!/bin/sh
+
+## Hack to prevent wg-quick from failing when attempting
+## to change the net.ipv4.conf.all.src_valid_mark sysctl.
+## This sysctl is set by docker compose instead, making
+## the call unneccessary anyways.
+
+rm /sbin/sysctl
+printf "#!/bin/sh\ntrue \$@\n" > /sbin/sysctl
+chmod +x /sbin/sysctl
+
+cp /run/secrets/wg-config /etc/wireguard/wg0.conf
+wg-quick up wg0
+exec sleep infinite