external/slipstream
1
0
Fork 0
mirror of https://github.com/EndPositive/slipstream.git synced 2025-10-08 12:25:04 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update documentation

Browse source
This commit is contained in:
Jop Zitman 2025-05-16 16:36:34 +08:00
parent cb8340a3e5
commit 1ce5cf30c9
5 changed files with 102 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

50
.github/workflows/release.yaml vendored
View file

@ -84,27 +84,51 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v3
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push Docker image
id: push
- name: Extract metadata (tags, labels) for Docker (server)
id: meta-server
uses: docker/metadata-action@v3
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-server
- name: Extract metadata (tags, labels) for Docker (client)
id: meta-client
uses: docker/metadata-action@v3
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-client
- name: Build and push Docker image (server)
id: push-server
uses: docker/build-push-action@v6
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
tags: ${{ steps.meta-server.outputs.tags }}
labels: ${{ steps.meta-server.outputs.labels }}
target: server
- name: Generate artifact attestation
- name: Build and push Docker image (client)
id: push-client
uses: docker/build-push-action@v6
with:
context: .
push: true
tags: ${{ steps.meta-client.outputs.tags }}
labels: ${{ steps.meta-client.outputs.labels }}
target: client
- name: Generate artifact attestation (server)
uses: actions/attest-build-provenance@v2
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.push.outputs.digest }}
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-server
subject-digest: ${{ steps.push-server.outputs.digest }}
push-to-registry: true
- name: Generate artifact attestation (client)
uses: actions/attest-build-provenance@v2
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-client
subject-digest: ${{ steps.push-client.outputs.digest }}
push-to-registry: true

17
Dockerfile
View file

@ -30,7 +30,7 @@ RUN --mount=type=cache,target=/usr/src/app/cmake-build-release \
cp cmake-build-release/slipstream-client . && \
cp cmake-build-release/slipstream-server .
FROM gcr.io/distroless/base-debian12
FROM gcr.io/distroless/base-debian12 AS runtime
WORKDIR /usr/src/app
@ -38,9 +38,16 @@ COPY ./certs/ ./certs/
ENV PATH=/usr/src/app/:$PATH
COPY --from=builder --chmod=755 /usr/src/app/slipstream-client ./client
COPY --from=builder --chmod=755 /usr/src/app/slipstream-server ./server
LABEL org.opencontainers.image.source=https://github.com/EndPositive/slipstream
LABEL org.opencontainers.image.source https://github.com/EndPositive/slipstream
FROM runtime AS client
ENTRYPOINT []
COPY --from=builder --chmod=755 /usr/src/app/slipstream-client .
ENTRYPOINT ["/usr/src/app/slipstream-client"]
FROM runtime AS server
COPY --from=builder --chmod=755 /usr/src/app/slipstream-server .
ENTRYPOINT ["/usr/src/app/slipstream-server"]

81
README.md
View file

@ -4,16 +4,61 @@
A high-performance covert channel over DNS, powered by QUIC multipath.
<p align="center">
<picture align="center">
<source media="(prefers-color-scheme: dark)" srcset="docs/file_transfer_times_dark.png">
<source media="(prefers-color-scheme: light)" srcset="docs/file_transfer_times_light.png">
<img alt="Shows a bar chart with benchmark results." src="docs/file_transfer_times_light.png">
</picture>
</p>
<p align="center">
<i>Exfiltrating a 10 MB file over a single DNS resolver.</i>
</p>
## Highlights
* Adaptive congestion control for rate-limited resolvers
* Parallel routing over multiple multiple rate-limited resolvers
* 60% lower header overhead than DNSTT
## Installation
Get the latest binaries [GitHub releases](https://github.com/EndPositive/slipstream/releases/latest) or pull the latest version from the [GitHub Container Registry](https://github.com/users/EndPositive/packages?repo_name=slipstream).
## Usage
```
Usage: slipstream-server [OPTION...]
slipstream-server - A high-performance covert channel over DNS (server)
-a, --target-address=ADDRESS Target server address (default:
127.0.0.1:5201)
-c, --cert=CERT Certificate file path (default: certs/cert.pem)
-d, --domain=DOMAIN Domain name this server is authoritative for
(Required)
-k, --key=KEY Private key file path (default: certs/key.pem)
-l, --dns-listen-port=PORT DNS listen port (default: 53)
```
```
Usage: slipstream-client [OPTION...]
slipstream-client - A high-performance covert channel over DNS (client)
-c, --congestion-control=ALGO Congestion control algorithm (bbr, dcubic)
(default: dcubic)
-d, --domain=DOMAIN Domain name used for the covert channel (Required)
-g, --gso[=BOOL] GSO enabled (true/false) (default: false). Use
--gso or --gso=true to enable.
-l, --tcp-listen-port=PORT Listen port (default: 5201)
-r, --resolver=RESOLVER Slipstream server resolver address (e.g., 1.1.1.1
or 8.8.8.8:53). Can be specified multiple times.
(Required)
```
## Quickstart
Download a release binary from GitHub.
The binary contains both the client and the server.
### Server setup
The server listens for DNS messages and attempts to decode QUIC message from them.
Any new QUIC streams opened will be forwarded to a specified TCP service.
@ -25,17 +70,18 @@ $ slipstream-server \
--dns-listen-port=8853 \
--cert=certs/cert.pem \
--key=certs/key.pem \
--target=127.0.0.1:5201 \
--target-address=127.0.0.1:5201 \
--domain=test.com
```
### Client setup
The client listens on a TCP port for incoming connections.
It opens a QUIC connection through the resolver specified.
For every TCP connection it accepts, a new QUIC stream will be opened.
In this example, we connect to the slipstream server running on port 8853.
```shell
$ echo "127.0.0.1 8853" > resolvers.txt
$ slipstream-client \
--tcp-listen-port=7000 \
--resolver=127.0.0.1:8853 \
@ -48,6 +94,8 @@ Connection completed, almost ready.
Connection confirmed.
```
### Usage
You can then connect to the slipstream client on port 7000 as if you were connecting to the nc client on port 5201.
```shell
@ -88,7 +136,7 @@ Then run the slipstream server on port 53 (requires elevated privileges) and ins
# Benchmarks
Comparison of slipstream and other existing DNS tunneling tools can be found in the [EndPositive/dns-tunneling-benchmark]([https://github.com/EndPositive/dns-tunneling-benchmark]) repository.
Comparison of slipstream and other existing DNS tunneling tools can be found in the [EndPositive/dns-tunneling-benchmark](https://github.com/EndPositive/dns-tunneling-benchmark) repository.
Main findings:
@ -96,29 +144,6 @@ Main findings:
* 23/19 Mbps upload/download speed for direction connections
* automatically maximizes query rate according to resolver rate-limit
# Building from source
```shell
# build deps on debian: cmake, pkg-config, libssl-dev, ninja-build, clang
$ git clone --recurse-submodules https://github.com/EndPositive/slipstream.git
$ cd slipstream/
$ cmake \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_MAKE_PROGRAM=ninja \
-DCMAKE_C_COMPILER=clang \
-DCMAKE_CXX_COMPILER=clang++ \
-G Ninja \
-S . \
-B ./build
$ cmake \
--build ./build \
--target slipstream \
-j 18
# mark as executable and install to your system
$ chmod +x ./build/slipstream
$ mv ./build/slipstream ~/.local/bin
```
# Acknowledgements
David Fifield's DNSTT and Turbo Tunnel concept has been a massive source of inspiration.

BIN
docs/file_transfer_times_dark.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
docs/file_transfer_times_light.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 14 KiB