christian.rossow/PG-RSCA-2526-TorAttack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

modified services to run on provided infrastructure

Browse Source
This commit is contained in:
Fabian van Rissenbeck 2025-05-28 14:23:59 +02:00
parent b9e13c776e
commit 83a0eb4cb3
No known key found for this signature in database
18 changed files with 64 additions and 159 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
experiment-infra/README.md Normal file
View File

@ -0,0 +1,32 @@
# Tor Experiment Infrastructure
## Available Systems
| IP | Domain | Location | Purpose |
|---:|:-------|:---------|:--------|
| 164.90.190.0 | rsca.vanrissenbeck.com | Frankfurt | Host a webservice, take measurements. |
| 95.85.53.75 | n.a. | Amsterdam | Host a private Tor guard node |
| 64.225.67.64 | n.a. | Amsterdam | Host a private Tor guard node |
## Containers
The `guard` container provides a single guard node, configured so that it
does not announce its IP to public indices. The container is configured
by two environment variables, `BIND_ADDRESS` and `NICKNAME`. The values
in the associated `docker-compose.yml` file are fine as they are.
kept in the `
The `victim` container provides the Tor service configured as a SOCKS5
proxy. It connects to one hard-coded guard node, specified using the
environment variable `GUARD`.
Both containers are stored in the `ghcr.io` registry under the tags
`ghcr.io/deinernstjetzt/rsca-guard` or `ghcr.io/deinernstjetzt/rsca-victim`
respectively.
## Exposed Ports
| Name | Host:Port |
|:---------|------------------|
| Guard #1 | 95.85.53.75:30720 |
| Guard #2 | 64.225.67.64:62268 |

6
experiment-infra/guard/Dockerfile
View File

@ -1,6 +1,6 @@
FROM debian:bookworm FROM debian:bookworm
RUN apt update && apt -y install tor RUN apt update && apt -y install tor
ARG BIND_ADDRESS="10.2.0.3"
COPY ./torrc /etc/tor/torrc COPY ./torrc /etc/tor/torrc
RUN sed -i "s/{bind-address}/${BIND_ADDRESS}/" /etc/tor/torrc COPY --chmod=700 ./entrypoint.sh /entrypoint.sh
CMD [ "bash", "-c", "sleep 5; tor" ] ENTRYPOINT [ "/entrypoint.sh" ]
CMD [ "tor" ]

47
experiment-infra/guard/docker-compose.yml
View File

@ -1,41 +1,10 @@
services: services:
wg-target: guard:
build: ../wireguard image: ghcr.io/deinernstjetzt/rsca-guard
cap_add:
- NET_ADMIN
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
secrets:
- source: wg-target
target: wg-config
wg-dummy:
build: ../wireguard
cap_add:
- NET_ADMIN
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
secrets:
- source: wg-dummy
target: wg-config
target: environment:
build: BIND_ADDRESS: "0.0.0.0:12345"
dockerfile: ./Dockerfile NICKNAME: "simpletestguard"
args:
BIND_ADDRESS: "10.2.0.3" ports:
network_mode: "service:wg-target" - 12345:12345
dummy:
build:
dockerfile: ./Dockerfile
args:
BIND_ADDRESS: "10.2.0.6"
network_mode: "service:wg-dummy"
secrets:
wg-target:
file: ./wg-target.conf
wg-dummy:
file: ./wg-dummy.conf

5
experiment-infra/guard/entrypoint.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
sed -i "s/{bind-address}/${BIND_ADDRESS}/" /etc/tor/torrc
sed -i "s/{nickname}/${NICKNAME}/" /etc/tor/torrc
exec "$@"

6
experiment-infra/guard/torrc
View File

@ -1,6 +1,8 @@
AssumeReachable 1 AssumeReachable 1
PublishServerDescriptor 0 PublishServerDescriptor 0
ORPort {bind-address}:443 ORPort {bind-address}
Nickname localtestrelay Nickname {nickname}
RelayBandwidthRate 1 MB RelayBandwidthRate 1 MB
RelayBandwidthBurst 2 MB RelayBandwidthBurst 2 MB
SocksPort 0
ExitPolicy reject *:*

10
experiment-infra/guard/wg-dummy.conf
View File

@ -1,10 +0,0 @@
[Interface]
Address = 10.2.0.6/24
PrivateKey = <censored>
MTU = 1000
[Peer]
PublicKey = <censored>
AllowedIps = 10.2.0.0/24
Endpoint = vanrissenbeck.com:41415
PersistentKeepalive = 10

10
experiment-infra/guard/wg-target.conf
View File

@ -1,10 +0,0 @@
[Interface]
Address = 10.2.0.3/24
PrivateKey = <censored>
MTU = 1000
[Peer]
PublicKey = <censored>
AllowedIps = 10.2.0.0/24
Endpoint = vanrissenbeck.com:41415
PersistentKeepalive = 10

7
experiment-infra/proxy/Dockerfile
View File

@ -1,7 +0,0 @@
FROM alpine:latest
RUN apk add openssh
RUN ssh-keygen -A && \
sed -i 's/GatewayPorts no/GatewayPorts yes/' /etc/ssh/sshd_config && \
sed -i 's/AllowTcpForwarding no/AllowTcpForwarding yes/' /etc/ssh/sshd_config && \
printf "<censored>\n<censored>\n" | adduser anon
CMD [ "/usr/sbin/sshd", "-D" ]

19
experiment-infra/proxy/docker-compose.yml
View File

@ -1,19 +0,0 @@
services:
wireguard:
build: ../wireguard
cap_add:
- NET_ADMIN
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
secrets:
- wg-config
ports:
- 2222:22
proxy:
build: ./
network_mode: "service:wireguard"
secrets:
wg-config:
file: ./wireguard.conf

10
experiment-infra/proxy/wireguard.conf
View File

@ -1,10 +0,0 @@
[Interface]
Address = 10.2.0.4/24
PrivateKey = <censored>
MTU = 1000
[Peer]
PublicKey = <censored>
AllowedIps = 10.2.0.0/24
Endpoint = vanrissenbeck.com:41415
PersistentKeepalive = 10

6
experiment-infra/victim/Dockerfile
View File

@ -1,8 +1,6 @@
FROM debian:bookworm FROM debian:bookworm
RUN apt update && apt -y install tor curl wireguard-tools RUN apt update && apt -y install tor curl
COPY ./torrc /etc/tor/torrc COPY ./torrc /etc/tor/torrc
COPY --chmod=700 ./entrypoint.sh /entrypoint.sh COPY --chmod=700 ./entrypoint.sh /entrypoint.sh
COPY --chmod=700 ./script.sh /script.sh
ENV TARGET="https://rsca.vanrissenbeck.com"
ENTRYPOINT [ "/entrypoint.sh" ] ENTRYPOINT [ "/entrypoint.sh" ]
CMD [ "/script.sh" ] CMD [ "bash" ]

21
experiment-infra/victim/docker-compose.yml
View File

@ -1,17 +1,8 @@
services: services:
wireguard:
build: ../wireguard
cap_add:
- NET_ADMIN
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
secrets:
- wg-config
victim: victim:
build: ./ image: ghcr.io/deinernstjetzt/rsca-victim
network_mode: "service:wireguard" environment:
# Guard #1
secrets: GUARD: "95.85.53.75:30720"
wg-config: # Guard #2
file: ./wireguard.conf # GUARD: "64.225.67.64:62268"

4
experiment-infra/victim/entrypoint.sh
View File

@ -1,3 +1,5 @@
#!/bin/bash #!/bin/bash
sed -i "s/{guard}/${GUARD}/" /etc/tor/torrc
tor & tor &
exec "$@" exec "$@"

9
experiment-infra/victim/script.sh
View File

@ -1,9 +0,0 @@
#!/bin/bash
while [ true ];
do
printf "Fetching from $TARGET."
curl --silent --socks5 127.0.0.1:9050 $TARGET > /dev/null;
echo " Ok."
sleep 10;
done;

2
experiment-infra/victim/torrc
View File

@ -1,3 +1,3 @@
Bridge 10.2.0.3:443 Bridge {guard}
UseBridges 1 UseBridges 1
StrictNodes 1 StrictNodes 1

10
experiment-infra/victim/wireguard.conf
View File

@ -1,10 +0,0 @@
[Interface]
Address = 10.2.0.2/24
PrivateKey = <censored>
MTU = 1000
[Peer]
PublicKey = <censored>
AllowedIps = 10.2.0.0/24
Endpoint = vanrissenbeck.com:41415
PersistentKeepalive = 10

5
experiment-infra/wireguard/Dockerfile
View File

@ -1,5 +0,0 @@
FROM alpine:latest
RUN apk add wireguard-tools iptables
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
CMD [ "/entrypoint.sh" ]

14
experiment-infra/wireguard/entrypoint.sh
View File

@ -1,14 +0,0 @@
#!/bin/sh
## Hack to prevent wg-quick from failing when attempting
## to change the net.ipv4.conf.all.src_valid_mark sysctl.
## This sysctl is set by docker compose instead, making
## the call unneccessary anyways.
rm /sbin/sysctl
printf "#!/bin/sh\ntrue \$@\n" > /sbin/sysctl
chmod +x /sbin/sysctl
cp /run/secrets/wg-config /etc/wireguard/wg0.conf
wg-quick up wg0
exec sleep infinite