ei
/
mtg
mirror da https://github.com/9seconds/mtg
Segui 1
Vota 0
Forka 0
Codice Problemi 0 Rilasci 48 Wiki Attività
Sfoglia il codice sorgente

Add documentation for antireplay package

tags/v2.0.0-rc1
9seconds 5 anni fa
parent
5d5b77d73b
commit
3661fe108d
6 ha cambiato i file con 63 aggiunte e 4 eliminazioni
Visualizzazione separata Mostra Diff Stats
  1. 7
    0
      antireplay/doc.go
  2. 7
    2
      antireplay/init.go
  3. 3
    0
      antireplay/noop.go
  4. 12
    0
      antireplay/stable_bloom_filter.go
  5. 2
    2
      internal/cli/proxy.go
  6. 32
    0
      mtglib/init.go

+ 7
- 0
antireplay/doc.go Vedi File 

@@ -0,0 +1,7 @@
1 
+// Antireplay package has cache implementations that are effective
2 
+// against replay attacks.
3 
+//
4 
+// To understand more about replay attacks, please read documentation
5 
+// for mtglib.AntiReplayCache interface. This package has a list of some
6 
+// implementations of this interface.
7 
+package antireplay

+ 7
- 2
antireplay/init.go Vedi File 

@@ -1,6 +1,11 @@
1 1 
 package antireplay
2 2
3 3 
 const (
4 
-	DefaultMaxSize   = 1024 * 1024 // 1MiB
5 
-	DefaultErrorRate = 0.001
4 
+	// DefaultStableBloomFilterMaxSize is a recommended byte size for a
5 
+	// stable bloom filter.
6 
+	DefaultStableBloomFilterMaxSize = 1024 * 1024 // 1MiB
7 
+
8 
+	// DefaultStableBloomFilterErrorRate is a recommended default error
9 
+	// rate for a stable bloom filter.
10 
+	DefaultStableBloomFilterErrorRate = 0.001
6 11 
 )

+ 3
- 0
antireplay/noop.go Vedi File 

@@ -6,6 +6,9 @@ type noop struct{}
6 6
7 7 
 func (n noop) SeenBefore(_ []byte) bool { return false }
8 8
9 
+// NewNoop returns an implementation that does nothing. A corresponding
10 
+// method always returns false, so this cache accepts everything you
11 
+// pass to it.
9 12 
 func NewNoop() mtglib.AntiReplayCache {
10 13 
 	return noop{}
11 14 
 }

+ 12
- 0
antireplay/stable_bloom_filter.go Vedi File 

@@ -20,6 +20,18 @@ func (s *stableBloomFilter) SeenBefore(digest []byte) bool {
20 20 
 	return s.filter.TestAndAdd(digest)
21 21 
 }
22 22
23 
+// NewStableBloomFilter returns an implementation of AntiReplayCache
24 
+// based on stable bloom filter.
25 
+//
26 
+// http://webdocs.cs.ualberta.ca/~drafiei/papers/DupDet06Sigmod.pdf
27 
+//
28 
+// The basic idea of a stable bloom filter is quite simple: each time
29 
+// when you set a new element, you randomly reset P elements. There is a
30 
+// hardcore math which proves that if you choose this P correctly, you
31 
+// can maintain the same error rate for a stream of elements.
32 
+//
33 
+// byteSize is the number of bytes you want to give to a bloom filter  .
34 
+// errorRate is desired false-positive error rate                      .
23 35 
 func NewStableBloomFilter(byteSize uint, errorRate float64) mtglib.AntiReplayCache {
24 36 
 	sf := boom.NewDefaultStableBloomFilter(byteSize*8, errorRate) // nolint: gomnd
25 37 
 	sf.SetHash(xxhash.New64())

+ 2
- 2
internal/cli/proxy.go Vedi File 

@@ -93,8 +93,8 @@ func (c *Proxy) setupAntiReplayCache(opts *mtglib.ProxyOpts) {
93 93 
 	}
94 94
95 95 
 	opts.AntiReplayCache = antireplay.NewStableBloomFilter(
96 
-		c.Config.Defense.AntiReplay.MaxSize.Value(antireplay.DefaultMaxSize),
97 
-		c.Config.Defense.AntiReplay.ErrorRate.Value(antireplay.DefaultErrorRate),
96 
+		c.Config.Defense.AntiReplay.MaxSize.Value(antireplay.DefaultStableBloomFilterMaxSize),
97 
+		c.Config.Defense.AntiReplay.ErrorRate.Value(antireplay.DefaultStableBloomFilterErrorRate),
98 98 
 	)
99 99 
 }
100 100

+ 32
- 0
mtglib/init.go Vedi File 

@@ -33,7 +33,39 @@ type Network interface {
33 33 
 	MakeHTTPClient(func(ctx context.Context, network, address string) (net.Conn, error)) *http.Client
34 34 
 }
35 35
36 
+// AntiReplayCache is an interface that is used to detect replay attacks
37 
+// based on some traffic fingerprints.
38 
+//
39 
+// Replay attacks are probe attacks whose main goal is to identify if
40 
+// server software can be classified in some way. For example, if you
41 
+// send some HTTP request to a web server, then you can expect that this
42 
+// server will respond with HTTP response back.
43 
+//
44 
+// There is a problem though. Let's imagine, that connection is
45 
+// encrypted. Let's imagine, that it is encrypted with some static key
46 
+// like ShadowSocks (https://shadowsocks.org/assets/whitepaper.pdf).
47 
+// In that case, in theory, if you repeat the same bytes, you can get
48 
+// the same responses. Let's imagine, that you've cracked the key. then
49 
+// if you send the same bytes, you can decrypt a response and see its
50 
+// structure. Based on its structure you can identify if this server is
51 
+// SOCKS5, MTPROTO proxy etc.
52 
+//
53 
+// This is just one example, maybe not the best or not the most
54 
+// relevant. In real life, different organizations use such replay
55 
+// attacks to perform some reverse engineering of the proxy, do some
56 
+// statical analysis to identify server software.
57 
+//
58 
+// There are many ways how to protect your proxy against them. One
59 
+// is domain fronting which is a core part of mtg. Another one is to
60 
+// collect some 'handshake fingerprints' and forbid duplication.
61 
+//
62 
+// So, it one is sending the same byte flow right after you (or a couple
63 
+// of hours after), mtg should detect that and reject this connection
64 
+// (or redirect to fronting domain).
36 65 
 type AntiReplayCache interface {
66 
+	// Seen before checks if this set of bytes was observed before or
67 
+	// not. If it is required to store this information somewhere else,
68 
+	// then it has to do that.
37 69 
 	SeenBefore(data []byte) bool
38 70 
 }
39 71

Write Preview
Loading…
Annulla
Salva