With the server program, an IPv6 service will be provided at a moving IPv6 address. The client program will find out the correct, current IPv6 address, which is a function of the time, shared secret, and salt. Server and client must share a key before making the connection.
First public release at ANT.
chhoyhopper does a moving target defnese for services in IPv6. The server hops around on different IPv6 addresess, and the client knows which to go to based on a shared secret.
chhoyhopper consists of:
chhoyhopper-server
: Implement a moving target defense, where the server IPv6 address changes over time.chhoyhopper-client
: This program finds the valid IPv6 address to connect to the moving server.chhoyhopper-client (browser extension)
: This browser extension intercepts the chhoyhopper URL, and
redirects the clients to the moving server. The current version only supports Mozilla Firefox.chhoyhopper is written by ASM Rizvi at the University of Southern California.
With this program, an IPv6 service will be provided at a moving IPv6 address. The service runs on another IP address and this program forwards traffic to that service IP from an IPv6 address that depends on the current time, a shared secret, and a salt value.
By default the service address changes every minute. We account for clock skew with a grace period of up to 60s.
By default, the service is ssh on prefix::f.
To overwrite, select the translated address with --to
.
The key is provided in a file via --keyfile
.
The key is arbitrary binary data.
By default we hop over the entire /64 on the given interface.
This daemon runs forever, changing the address regularly.
This program inserts ip6tables NAT and INPUT filter rules. NAT rules will be inserted top of the table and will translate the temporary IPv6 address to the actual server address. The INPUT filter will be at the top of the INPUT chain and will drop packets that do not have the actual server address. A packet needs to go through both NAT and INPUT chain rule to get the service. No one can reach the IPv6 server without computing the current IPv6 address. Even targeting the actual server address won’t be successful. This program will also insert rules to keep the already established connections. Also, it automatically assigns IPv6 address to the interface. When the life of an address is over, it stops the service at that address and deletes the NAT rules and interface addresses.
An IPv6 server will be hopping around over different IPv6 addresses. This program will find out the correct, current IPv6 address, which is a function of the time, shared secret, and salt. Server and client must share a key before making the connection.
This browser extension intercepts the chhoyhopper URLs and redirects the clients to the moving target. We currently support Mozilla Firefox. This extension takes input from users for Chhoyhopper domain, corresponding key and salt values. Then when a client wants to connect to the Chhoyhopper domain, the web extension computes the right moving target address, and redirects the request to that moving address.
Dependency: dnspython3
To install type: sudo python3 setup.py install
It will automatically install dnspython3
, chhoyhopper-client
and chhoyhopper-server
.
For browser extension, please type about:debugging#/runtime/this-firefox in the address bar, and
load chhoyhopper background.js. Alternatively, you can install web-ext application by using
npm install --global web-ext
, and then use web-ext run
to run the extension.
chhoyhopper-server [--address
=IPv6 address OR domain name] [--dnskey
=DNS key] [--keyfile
=key file path]
[--nameserver
=DNS nameserver address] [--salt
=constant] [--to
=IPv6 address] [--utility
=service]
[--verbose
]
chhoyhopper-client [--address
=IPv6 address OR domain name] [--keyfile
=key file path]
[--salt
=constant] [--service
=application]
--address
=IPv6 address OR domain name--dnskey
=DNS key--keyfile
=key file path--nameserver
=DNS nameserver address--salt
=constant--to
=IPv6 address--utility
=Service description--verbose
--address
=IPv6 address OR domain name--keyfile
=key file path--salt
=constant--service
=applicationRunning hopping for ssh on prefix::f, exporting service on using vm18.ant.isi.edu’s /64 prefix:
Opening service for hostname (default):
chhoyhopper-server
Opening service for vm18.ant.isi.edu:
chhoyhopper-server --address vm18.ant.isi.edu
or by IP address:
chhoyhopper-server --address 2001:1878:401::8009:1d15
(note that the hopping address will be anywhere in 2001:1878:401::/64,
not at this public IP address.)
changing key file (this should be shared with clients, default is file.bin):
chhoyhopper-server --keyfile "/tmp/key"
For HTTP(S) service, maintaining dynamic DNS and running hopping service:
chhoyhopper-server --address example.com --keyfile file.bin --utility HTTPS --nameserver IP --dnskey hmac-sha512:client_key_name:generated-key
An IPv6 client wants to connect to a moving server.
Connecting to vm18.ant.isi.edu:
chhoyhopper-client --address vm18.ant.isi.edu
Connecting to 2001:1878:401::8009:1d15:
chhoyhopper-client --address 2001:1878:401::8009:1d15
Using a different key file (dafault is file.bin):
chhoyhopper-client --address 2001:1878:401::8009:1d15 --key /tmp/public.pem
Click on IP6 icon. Sample input values:
Then type https://example.com in the URL input field.