christian.rossow/PG-RSCA-2526-TorAttack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added docker compose files for the experiment infrastructure

Browse Source
This commit is contained in:
Fabian van Rissenbeck 2025-05-22 16:39:01 +02:00
parent 9841dffb82
commit 3a17003bfd
No known key found for this signature in database
16 changed files with 152 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -100,3 +100,11 @@ service should be publicly visible under the domain
through the TOR network about every 10 seconds. If you through the TOR network about every 10 seconds. If you
used the `http.server` example, a directory listing should used the `http.server` example, a directory listing should
be visible on that domain. be visible on that domain.
## Some Related Work
[We Built This Circuit: Exploring Threat Vectors in Circuit Establishment in Tor](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9581198)
[Point Break: A Study of Bandwidth Denial-of-Service Attacks against Tor](https://www.usenix.org/system/files/sec19-jansen.pdf)
[TagIt: Tagging Network Flows using Blind Fingerprints](https://petsymposium.org/popets/2017/popets-2017-0050.pdf)

4
experiment-infra/guard/Dockerfile Normal file
View File

@ -0,0 +1,4 @@
FROM debian:bookworm
RUN apt update && apt -y install tor
COPY ./torrc /etc/tor/torrc
CMD [ "tor" ]

17
experiment-infra/guard/docker-compose.yml Normal file
View File

@ -0,0 +1,17 @@
services:
wireguard:
build: ../wireguard
cap_add:
- NET_ADMIN
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
secrets:
- wg-config
guard:
build: ./
network_mode: "service:wireguard"
secrets:
wg-config:
file: ./wireguard.conf

8
experiment-infra/guard/torrc Normal file
View File

@ -0,0 +1,8 @@
AssumeReachable 1
PublishServerDescriptor 0
ORPort 10.2.0.3:443
Nickname localtestrelay
RelayBandwidthRate 1 MB
RelayBandwidthBurst 2 MB
# ORPort 10.2.0.3:443 NoAdvertise
# Address 10.2.0.3

10
experiment-infra/guard/wireguard.conf Normal file
View File

@ -0,0 +1,10 @@
[Interface]
Address = 10.2.0.3/24
PrivateKey = <censored>
MTU = 1000
[Peer]
PublicKey = <censored>
AllowedIps = 10.2.0.0/24
Endpoint = vanrissenbeck.com:41415
PersistentKeepalive = 10

7
experiment-infra/proxy/Dockerfile Normal file
View File

@ -0,0 +1,7 @@
FROM alpine:latest
RUN apk add openssh
RUN ssh-keygen -A && \
sed -i 's/GatewayPorts no/GatewayPorts yes/' /etc/ssh/sshd_config && \
sed -i 's/AllowTcpForwarding no/AllowTcpForwarding yes/' /etc/ssh/sshd_config && \
printf "<censored>\n<censored>\n" | adduser anon
CMD [ "/usr/sbin/sshd", "-D" ]

19
experiment-infra/proxy/docker-compose.yml Normal file
View File

@ -0,0 +1,19 @@
services:
wireguard:
build: ../wireguard
cap_add:
- NET_ADMIN
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
secrets:
- wg-config
ports:
- 2222:22
proxy:
build: ./
network_mode: "service:wireguard"
secrets:
wg-config:
file: ./wireguard.conf

10
experiment-infra/proxy/wireguard.conf Normal file
View File

@ -0,0 +1,10 @@
[Interface]
Address = 10.2.0.4/24
PrivateKey = <censored>
MTU = 1000
[Peer]
PublicKey = <censored>
AllowedIps = 10.2.0.0/24
Endpoint = vanrissenbeck.com:41415
PersistentKeepalive = 10

8
experiment-infra/victim/Dockerfile Normal file
View File

@ -0,0 +1,8 @@
FROM debian:bookworm
RUN apt update && apt -y install tor curl wireguard-tools
COPY ./torrc /etc/tor/torrc
COPY --chmod=700 ./entrypoint.sh /entrypoint.sh
COPY --chmod=700 ./script.sh /script.sh
ENV TARGET="https://rsca.vanrissenbeck.com"
ENTRYPOINT [ "/entrypoint.sh" ]
CMD [ "/script.sh" ]

17
experiment-infra/victim/docker-compose.yml Normal file
View File

@ -0,0 +1,17 @@
services:
wireguard:
build: ../wireguard
cap_add:
- NET_ADMIN
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
secrets:
- wg-config
victim:
build: ./
network_mode: "service:wireguard"
secrets:
wg-config:
file: ./wireguard.conf

3
experiment-infra/victim/entrypoint.sh Normal file
View File

@ -0,0 +1,3 @@
#!/bin/bash
tor &
exec "$@"

9
experiment-infra/victim/script.sh Normal file
View File

@ -0,0 +1,9 @@
#!/bin/bash
while [ true ];
do
printf "Fetching from $TARGET."
curl --silent --socks5 127.0.0.1:9050 $TARGET > /dev/null;
echo " Ok."
sleep 10;
done;

3
experiment-infra/victim/torrc Normal file
View File

@ -0,0 +1,3 @@
Bridge 10.2.0.3:443
UseBridges 1
StrictNodes 1

10
experiment-infra/victim/wireguard.conf Normal file
View File

@ -0,0 +1,10 @@
[Interface]
Address = 10.2.0.2/24
PrivateKey = <censored>
MTU = 1000
[Peer]
PublicKey = <censored>
AllowedIps = 10.2.0.0/24
Endpoint = vanrissenbeck.com:41415
PersistentKeepalive = 10

5
experiment-infra/wireguard/Dockerfile Normal file
View File

@ -0,0 +1,5 @@
FROM alpine:latest
RUN apk add wireguard-tools iptables
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
CMD [ "/entrypoint.sh" ]

14
experiment-infra/wireguard/entrypoint.sh Normal file
View File

@ -0,0 +1,14 @@
#!/bin/sh
## Hack to prevent wg-quick from failing when attempting
## to change the net.ipv4.conf.all.src_valid_mark sysctl.
## This sysctl is set by docker compose instead, making
## the call unneccessary anyways.
rm /sbin/sysctl
printf "#!/bin/sh\ntrue \$@\n" > /sbin/sysctl
chmod +x /sbin/sysctl
cp /run/secrets/wg-config /etc/wireguard/wg0.conf
wg-quick up wg0
exec sleep infinite