/* listenForFilterRequest waits for a filter request from a client to come. Then, it verifies the authenticity of the request and takes the appropriate action based on the AITF filter request protocol. */ func listenForFilterRequest(mode complianceMode) { if handshakes == nil { handshakes = make(map[uint64](*filter.Request)) } /*Open up a UDP server on the filter request port and handle any messages that arrive.*/ serverAddr, err := net.ResolveUDPAddr("udp", ":54321") if err != nil { log.Fatal(err) } serverConn, err := net.ListenUDP("udp", serverAddr) if err != nil { log.Fatal(err) } defer serverConn.Close() buf := make([]byte, 5000) for { n, addr, _ := serverConn.ReadFromUDP(buf) /*Read a request from the UDP connection*/ var req filter.Request _, err := req.ReadFrom(bytes.NewBuffer(buf[:n])) if err != nil { log.Println(err) continue } /*Throw the request away if it is not authentic.*/ if !req.Authentic() { log.Println("Received a forged filter request!") continue } log.Println("Got", req.Type, "from", aitf.Hostname(addr.IP)) switch req.Type { case filter.FilterReq: /*When we receive a filter request, install a temporary filter and begin a counter-connection with the attacker's router. Also let the victim know that the attack should have stopped with a filter ACK. The filter is installed for the full filter time instead of the temporary time, but is automatically removed when we get a filter ACK.*/ filter.InstallFilter(req, filter.LongFilterTime, true) req.Type = filter.FilterAck req.Send(addr.IP) /*If we've blocked this filter before and it's still happening, escalate the filter and just block it here.*/ for _, req2 := range shadowFilters { if req2.SrcIP.Equal(req.SrcIP) && req2.DstIP.Equal(req.DstIP) { log.Println("Escalating request.") return } } req.Type = filter.CounterConnectionSyn req.Send(req.Flow.Path[0].IP) case filter.CounterConnectionSyn: if mode == comply || mode == lie { /*When we get a counter-connection SYN, continue the three-way handshake with a SYN-ACK. We don't install a filter until we get an ACK back with the right nonce.*/ req.Type = filter.CounterConnectionSynAck req.Nonce = uint64(rand.Int63()) handshakes[req.Nonce] = &req req.Send(addr.IP) } case filter.CounterConnectionSynAck: if mode == comply || mode == lie { /*When we receive a response to a counter-connection, complete the three-way handshake.*/ req.Type = filter.CounterConnectionAck req.Send(addr.IP) } case filter.CounterConnectionAck: if mode == comply || mode == lie { /*When we receive a counter-connection ACK, make sure we're actually waiting for a response to that handshake, then install a temporary filter.*/ originalReq := handshakes[req.Nonce] if originalReq == nil { log.Println("Received a forged three-way handshake:", req) continue } else { delete(handshakes, req.Nonce) } } if mode == comply { /*The filter is installed for the full filter time instead of the temporary time, but is automatically removed when we get a filter ACK.*/ filter.InstallFilter(req, filter.LongFilterTime, true) /*The attacker should be informed of its wrongdoing, and the victim's router should be informed that this router is complying with the request.*/ req.Type = filter.FilterReq req.Send(req.SrcIP) req.Type = filter.FilterAck req.Send(addr.IP) } case filter.FilterAck: if mode == comply { /*When we get acknowledgement of compliance with a filter, we can remove our temporary filter. Nobody lies on the internet.*/ filter.UninstallFilter(req, true) shadowFilters = append(shadowFilters, req) } } } }
/* listenForFilterRequest waits for a filter request from a router to come. Then, it verifies the authenticity of the request and takes some action. If action is comply, it filters the attack. If action is ignore, it logs the request but does nothing about it.comply If action is lie, it complies with the request but doesn't actually add a filter. */ func listenForFilterRequest(mode complianceMode) { /*Open up a UDP server on the filter request port and handle any messages that arrive.*/ serverAddr, err := net.ResolveUDPAddr("udp", ":54321") if err != nil { log.Fatal(err) } serverConn, err := net.ListenUDP("udp", serverAddr) if err != nil { log.Fatal(err) } defer serverConn.Close() buf := make([]byte, 5000) for { n, addr, _ := serverConn.ReadFromUDP(buf) /*Read a request from the UDP connection*/ var req filter.Request _, err := req.ReadFrom(bytes.NewBuffer(buf[:n])) if err != nil { log.Println(err) continue } log.Println("Got", req.Type, "from", aitf.Hostname(addr.IP)) switch req.Type { case filter.FilterReq: switch mode { case comply: log.Println("Complying with filter request...") /*If this host is okay with filter requests, add a firewall rule to block the requested flow and respond with an acknowledgement.*/ filter.InstallFilter(req, filter.LongFilterTime, false) req.Type = filter.FilterAck req.Send(addr.IP) case ignore: log.Println("Ignoring filter request...") case lie: log.Println("Pretending to comply with filter request...") /*If this host is a lier, send an acknowledgement without actually installing a filter rule.*/ req.Type = filter.FilterAck req.Send(addr.IP) } case filter.FilterAck: /*Do nothing. The routers should take care of mitigating the attack from now on.*/ default: /*Hosts shouldn't get any of the other message types.*/ log.Println("Unexpected filter request:", req) } } }