Daemon Process for Setting up IPIP Tunnels with SSL Support

By Yu Cai

A Daemon server process named "scolds" is set up to run on client, proxy, gateway and target machine, 
listening to port "5115", waiting for message from SCOLD coordinator, and setting up IPIP tunnels automatically. 
The communication between coordinator, client, proxy, gateway and target is SSL encrypted and mutually authenticated.

See below for the SCOLD testbed view graph.

Steps:
1. Target got attacked, notify Coordinator.
2. Coordinator talk to Target to re-set the routing table and firewall rules
3. Coordinator talk to Gateway to re-set the routing table and firewall rules, and setup one end of the ip tunnel between proxy and gateway.
4. Coordinator talk to Proxy to re-set the routing table and firewall rules,  setup one end of the ip tunnel between proxy and gateway, and setup one end of the ip tunnel between proxy and client.
5. Proxy talk to Client to to re-set the routing table and firewall rules,  setup one end of the ip tunnel between proxy and client.
6. The indirect route is set up. Client will access Target will indirect route.

Notes:
1) There is SCOLD server daemon process run Client, Proxy, Gateway and Target, listening to port 5115.
2) All the communication above in step 1-6 are SSL encrypted and mutually authenticated.
3) Only Proxy are exposed to Client and act as the frontline against possible DDoS attack from malicious clients. In this way, the malicious clients will not be able to find Coordinator and Gateway, and launch DDoS attack against them.

 

Below is a brief summary on SCOLD Daemon.

Compilation
-----------
make

Running
-------
on client, proxy, gateway, target
./run

on the SCOLD coordinator,
./client

to stop running issue the following command
kill -9 $(pidof scoldd)

Testing
------------
Coordinator talk to client 128.198.61.51 on port 5111

openssl s_client -connect 128.198.61.51:5111 -showcerts -cert certificate/ctestssl/cert/clicert.pem -key certificate/ctestssl/private/private.key -CAfile certificate/ctestssl/ca/cacert.pem


Creating certificate

---------------------
On client, proxy, gateway, target machine,
go to certificate directory,
run "test.sh", input information as required
the testssl contain server certificate and private key
the ctestssl contain client certificate and private key
copy testssl to server testssl directory
copy ctestssl to client ctestssl directory (on coordinator)


Verify IPIP tunnel
--------------------
run "ifconfig" or "ip link show", should see IP tunnel configuration.
run "netstat -i" several times, should see IP tunnel traffic.
run "traceroute" before and after IP tunnel, will not be able to see IP hops after IP tunnel.
run "lynx http://128.198.60.201" for web access, "ssh -l root 128.198.60.201" for ssh
"ifconfig tunl1 down" to shut down the tunnel

The source code and related configuration script of SCOLD daemon is available under Src directory.