Libresolve for Setting up Indirect Route with SSL Support

By Yu Cai

See below for the SCOLD testbed view graph for Setting up Indirect Route with SSL Support by using libresolve.

Steps:
1. Client access the Target by hostname, libresolve on Client will query ClientDNS for name resolve, and client get updated DNS records with Alternate Route Proxy IP addresses other than normal Target IP address.
2. Inside libresolve, Client setup one end of the ip tunnel between proxy and client. On the other hand, Client talk to Proxy to re-set the routing table and firewall rules,  and setup one end of the ip tunnel between Proxy and Client, also tunnel between Proxy and Gateway.
3. Proxy talk to Gateway to re-set the routing table and firewall rules, and setup one end of the ip tunnel between proxy and gateway.
4. Proxy talk to Target to re-set the routing table and firewall rules.
5. The indirect route is set up. Client can access Target with indirect route.

Notes:
1) There is SCOLD server daemon process run Client, Proxy, Gateway and Target, listening to port 5115.
2) All the communications are SSL encrypted and mutually authenticated.
3) Only Proxy are exposed to Client and act as the frontline against possible DDoS attack from malicious clients. In this way, the malicious clients will not be able to find Coordinator and Gateway, and launch DDoS attack against them.

Advantage and disadvantage:
1) Once IP tunnel set up, all the upper layer applications and protocols, like http, ftp, ICMP can use IP tunnel transparently.
2) Overhead associated with IP tunnel. Usually the response time increase by 100%-200%. But compared with the impact of DDoS attack, the overhead is still acceptable.
3) Limited changes on client, only the libresolve library. But Libresolve can only be called when client query target by hostname. If client query target by IP, then libresolve won't be called.
4) Need updated DNS server and Bind software to support ALT type address.
5) Need a whole set of participated proxy servers. Even if one proxy is down, we can still use other available proxy servers to set up indirect route.
6) All the communications are SSL encrypted and mutually authenticated.

 

Below is a brief summary on SCOLD Daemon.

Compilation
-----------
make
when you run make, you will be asked to put in the parameter for certificate.
There are one server program scolds and one client program scoldc, which can communciate with SSL connection.

Running
-------
go to ~ycai/sslres,
on proxy, gateway, target run the scold server deamon
./scolds.sh

on the SCOLD client, check /lib/libresolv is the updated version,
then when you query target by hostname, the libresolv will be called and set up the indirect route if needed.

to stop running issue the following command
./shutdown.sh

Verify IPIP tunnel
--------------------
run "ifconfig" or "ip link show", should see IP tunnel configuration.
run "netstat -i" several times, should see IP tunnel traffic.
run "traceroute" before and after IP tunnel, will not be able to see IP hops after IP tunnel.
run "lynx http://128.198.60.201" for web access, "ssh -l root 128.198.60.201" for ssh
"ifconfig tunl1 down" to shut down the tunnel

The source code and related configuration script of SCOLD daemon is available under .~ycai/sslres directory of  client, proxy, gateway, target machine.
 

Other possible schemas:

1) NAT proxy schema:

In this schema, the proxy server will function like a NAT server. The clientDNS Records contain pair of IP Address - Hostname. The Hostname is still
the target name, but the IP address will be the proxy IP. Then the client traffic towards target will be route to Proxy, proxy do the NAT translation and
forward the traffic to Target through Gateway.

This schema requires no changes on Client, very little changes on ClientDNS to enable dynamic DNS update.
But this schema have a scalable problem with large number of protected targets. Because it requires the proxy server to reserve a reasonable number
of IP addresses, one to one corresponding to the Target.
Also, the client will not get the real IP of target, that might cause certain problem with some applications, or raise the false alert of IP spoofing.