chhoyhopper: moving target defense in IPv6

chhoyhopper

With the server program, an IPv6 service will be provided at a moving IPv6 address. The client program will find out the correct, current IPv6 address, which is a function of the time, shared secret, and salt. Server and client must share a key before making the connection.

  • chhoyhopper-2.11.tar.gz (2021-11-08); current release

    • https server support
    • https add-on for mozilla firefox
    • sha-256
    • bug fixed to keep the interface ipv6 address

  • chhoyhopper-1.3.tar.gz (2021-03-30)

    First public release at ANT.

COMPONENTS

chhoyhopper does a moving target defnese for services in IPv6. The server hops around on different IPv6 addresess, and the client knows which to go to based on a shared secret.

chhoyhopper consists of:

  • chhoyhopper-server: Implement a moving target defense, where the server IPv6 address changes over time.
  • chhoyhopper-client: This program finds the valid IPv6 address to connect to the moving server.
  • chhoyhopper-client (browser extension): This browser extension intercepts the chhoyhopper URL, and redirects the clients to the moving server. The current version only supports Mozilla Firefox.

chhoyhopper is written by ASM Rizvi at the University of Southern California.

SERVER

Using this tool, one can run the server for SSH and HTTPS applications. One can select the application that they want to run.

With this program, an IPv6 service will be provided at a moving IPv6 address. The service runs on another IP address and this program forwards traffic to that service IP from an IPv6 address that depends on the current time, a shared secret, and a salt value.

By default the service address changes every minute. We account for clock skew with a grace period of up to 60s.

By default, the service is ssh on prefix::f. To overwrite, select the translated address with --to.

The key is provided in a file via --keyfile. The key is arbitrary binary data. We can keep any content in the keyfile. The same keyfile should be used from the client end.

By default we hop over the entire /64 on the given interface.

This daemon runs forever, changing the address regularly.

This program inserts ip6tables NAT and INPUT filter rules. NAT rules will be inserted top of the table and will translate the temporary IPv6 address to the actual server address. The INPUT filter will be at the top of the INPUT chain and will drop packets that do not have the actual server address. A packet needs to go through both NAT and INPUT chain rule to get the service. No one can reach the IPv6 server without computing the current IPv6 address. Even targeting the actual server address won’t be successful. This program will also insert rules to keep the already established connections. Also, it automatically assigns IPv6 address to the interface. When the life of an address is over, it stops the service at that address and deletes the NAT rules and interface addresses.

To run HTTPS in the server side, one needs to run a DNS service to update the DNS entry every minute. In our implemenation, we use knot to use dynamic DNS. One can use the standard installation command to install knot in a Linux machine. Then one can use sudo systemctl start knot to start knot. Our tool assumes knot is already installed, and utilize knot commands to update DNS entries.

CLIENT

An IPv6 server will be hopping around over different IPv6 addresses. This program will find out the correct, current IPv6 address, which is a function of the time, shared secret, and salt. Server and client must share a key before making the connection.

CLIENT BROWSER EXTENSION

This browser extension intercepts the chhoyhopper URLs and redirects the clients to the moving target. We currently support Mozilla Firefox. This extension takes input from users for Chhoyhopper domain, corresponding key and salt values. Then when a client wants to connect to the Chhoyhopper domain, the web extension computes the right moving target address, and redirects the request to that moving address.

INSTALLATION:

Dependency: dnspython3, knot (for HTTPS)

To install type: sudo python3 setup.py install

It will automatically install dnspython3, chhoyhopper-client and chhoyhopper-server.

dnspython3 will be used to translate the domain name to an IPv6 address.

To install knot in a Linux machine, one can use sudo * install knot command to install knot (required for HTTPS server).

For browser extension in the client end, please type about:debugging#/runtime/this-firefox in the address bar, and load chhoyhopper background.js. Alternatively, you can install web-ext application by using npm install --global web-ext, and then use web-ext run to run the extension.

SYNOPSIS

chhoyhopper-server [--address=IPv6 address OR domain name] [--dnskey=DNS key] [--keyfile=key file path] [--nameserver=DNS nameserver address] [--salt=constant] [--to=IPv6 address] [--utility=service] [--verbose]

chhoyhopper-client [--address=IPv6 address OR domain name] [--keyfile=key file path] [--salt=constant] [--service=application]

SERVER OPTIONS

--address=IPv6 address OR domain name
IPv6 address or domain name to open the service, default is hostname. This code assumes there is an AAAA record for the given domain name.
--dnskey=DNS key
DNS key to update DNS record.
--keyfile=key file path
Path of the key file. This key file should be shared with the client. Default is ./chhoyhopper_key.bin.
--nameserver=DNS nameserver address
DNS server address to update the DNS record.
--salt=constant
Salt for hashing, default is 4750. Client should use the same salt.
--to=IPv6 address
Internal IPv6 server address, default is prefix::f. NAT rule will translate the dummy to this address.
--utility=Service description
Service: SSH / HTTP / HTTPS.
--verbose
Print the system commands executing by this program, default is none.

CLIENT OPTIONS

--address=IPv6 address OR domain name
IPv6 address or domain name to connect. Client requires to give an address of the service.
--keyfile=key file path
Path of the key file. This key file should be shared by the server. Default is ./chhoyhopper_key.bin.
--salt=constant
Salt for hashing, default is 4750. Server should use the same salt.
--service=application
Service to connect, default is ssh.

EXAMPLE

Server

Running hopping for ssh on prefix::f, exporting service on using vm18.ant.isi.edu’s /64 prefix:

  1. Opening service for hostname (default): chhoyhopper-server

  2. Opening service for vm18.ant.isi.edu: chhoyhopper-server --address vm18.ant.isi.edu

  3. or by IP address: chhoyhopper-server --address 2001:1878:401::8009:1d15 (note that the hopping address will be anywhere in 2001:1878:401::/64, not at this public IP address.)

  4. changing key file (this should be shared with clients, default is ./chhoyhopper_key.bin): chhoyhopper-server --keyfile "/tmp/private.bin"

  5. For HTTP(S) service: HTTPS service needs to update the DNS record every minute. HTTPS service assumes knot is already installed (see the insatllation instruction). One needs to provide the nameserver IP and DNS key: chhoyhopper-server --address example.com --keyfile /tmp/private.bin --utility HTTPS --nameserver IP --dnskey hmac-sha512:client_key_name:generated-key

Client

An IPv6 client wants to connect to a moving server. The address parameter is mandatory. The following three commands are some examples to use the client tool for SSH application:

  1. Connecting to vm18.ant.isi.edu: chhoyhopper-client --address vm18.ant.isi.edu

  2. Connecting to 2001:1878:401::8009:1d15: chhoyhopper-client --address 2001:1878:401::8009:1d15

  3. Using a different key file (dafault is ./chhoyhopper_key.bin): chhoyhopper-client --address 2001:1878:401::8009:1d15 --keyfile /tmp/private.bin

Client browser extension

Click on IP6 icon. Sample input values:

  1. URL: example.com (this will intercept any URL that contains example.com)
  2. Key: Browse the key file
  3. Salt: salt value

Then type https://example.com in the URL input field.