diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 939710a..228a20d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -84,27 +84,51 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@v3 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Build and push Docker image - id: push + - name: Extract metadata (tags, labels) for Docker (server) + id: meta-server + uses: docker/metadata-action@v3 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-server + + - name: Extract metadata (tags, labels) for Docker (client) + id: meta-client + uses: docker/metadata-action@v3 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-client + + - name: Build and push Docker image (server) + id: push-server uses: docker/build-push-action@v6 with: context: . push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} + tags: ${{ steps.meta-server.outputs.tags }} + labels: ${{ steps.meta-server.outputs.labels }} + target: server - - name: Generate artifact attestation + - name: Build and push Docker image (client) + id: push-client + uses: docker/build-push-action@v6 + with: + context: . + push: true + tags: ${{ steps.meta-client.outputs.tags }} + labels: ${{ steps.meta-client.outputs.labels }} + target: client + + - name: Generate artifact attestation (server) uses: actions/attest-build-provenance@v2 with: - subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - subject-digest: ${{ steps.push.outputs.digest }} + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-server + subject-digest: ${{ steps.push-server.outputs.digest }} + push-to-registry: true + + - name: Generate artifact attestation (client) + uses: actions/attest-build-provenance@v2 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-client + subject-digest: ${{ steps.push-client.outputs.digest }} push-to-registry: true diff --git a/Dockerfile b/Dockerfile index d770c5f..9020628 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,7 +30,7 @@ RUN --mount=type=cache,target=/usr/src/app/cmake-build-release \ cp cmake-build-release/slipstream-client . && \ cp cmake-build-release/slipstream-server . -FROM gcr.io/distroless/base-debian12 +FROM gcr.io/distroless/base-debian12 AS runtime WORKDIR /usr/src/app @@ -38,9 +38,16 @@ COPY ./certs/ ./certs/ ENV PATH=/usr/src/app/:$PATH -COPY --from=builder --chmod=755 /usr/src/app/slipstream-client ./client -COPY --from=builder --chmod=755 /usr/src/app/slipstream-server ./server +LABEL org.opencontainers.image.source=https://github.com/EndPositive/slipstream -LABEL org.opencontainers.image.source https://github.com/EndPositive/slipstream +FROM runtime AS client -ENTRYPOINT [] +COPY --from=builder --chmod=755 /usr/src/app/slipstream-client . + +ENTRYPOINT ["/usr/src/app/slipstream-client"] + +FROM runtime AS server + +COPY --from=builder --chmod=755 /usr/src/app/slipstream-server . + +ENTRYPOINT ["/usr/src/app/slipstream-server"] diff --git a/README.md b/README.md index 66a019d..906942d 100644 --- a/README.md +++ b/README.md @@ -4,16 +4,61 @@ A high-performance covert channel over DNS, powered by QUIC multipath. +

+ + + + Shows a bar chart with benchmark results. + +

+ +

+ Exfiltrating a 10 MB file over a single DNS resolver. +

+ ## Highlights * Adaptive congestion control for rate-limited resolvers * Parallel routing over multiple multiple rate-limited resolvers * 60% lower header overhead than DNSTT +## Installation + +Get the latest binaries [GitHub releases](https://github.com/EndPositive/slipstream/releases/latest) or pull the latest version from the [GitHub Container Registry](https://github.com/users/EndPositive/packages?repo_name=slipstream). + +## Usage + +``` +Usage: slipstream-server [OPTION...] +slipstream-server - A high-performance covert channel over DNS (server) + + -a, --target-address=ADDRESS Target server address (default: + 127.0.0.1:5201) + -c, --cert=CERT Certificate file path (default: certs/cert.pem) + -d, --domain=DOMAIN Domain name this server is authoritative for + (Required) + -k, --key=KEY Private key file path (default: certs/key.pem) + -l, --dns-listen-port=PORT DNS listen port (default: 53) +``` +``` +Usage: slipstream-client [OPTION...] +slipstream-client - A high-performance covert channel over DNS (client) + + -c, --congestion-control=ALGO Congestion control algorithm (bbr, dcubic) + (default: dcubic) + -d, --domain=DOMAIN Domain name used for the covert channel (Required) + + -g, --gso[=BOOL] GSO enabled (true/false) (default: false). Use + --gso or --gso=true to enable. + -l, --tcp-listen-port=PORT Listen port (default: 5201) + -r, --resolver=RESOLVER Slipstream server resolver address (e.g., 1.1.1.1 + or 8.8.8.8:53). Can be specified multiple times. + (Required) +``` + ## Quickstart -Download a release binary from GitHub. -The binary contains both the client and the server. +### Server setup The server listens for DNS messages and attempts to decode QUIC message from them. Any new QUIC streams opened will be forwarded to a specified TCP service. @@ -25,17 +70,18 @@ $ slipstream-server \ --dns-listen-port=8853 \ --cert=certs/cert.pem \ --key=certs/key.pem \ - --target=127.0.0.1:5201 \ + --target-address=127.0.0.1:5201 \ --domain=test.com ``` +### Client setup + The client listens on a TCP port for incoming connections. It opens a QUIC connection through the resolver specified. For every TCP connection it accepts, a new QUIC stream will be opened. In this example, we connect to the slipstream server running on port 8853. ```shell -$ echo "127.0.0.1 8853" > resolvers.txt $ slipstream-client \ --tcp-listen-port=7000 \ --resolver=127.0.0.1:8853 \ @@ -48,6 +94,8 @@ Connection completed, almost ready. Connection confirmed. ``` +### Usage + You can then connect to the slipstream client on port 7000 as if you were connecting to the nc client on port 5201. ```shell @@ -88,7 +136,7 @@ Then run the slipstream server on port 53 (requires elevated privileges) and ins # Benchmarks -Comparison of slipstream and other existing DNS tunneling tools can be found in the [EndPositive/dns-tunneling-benchmark]([https://github.com/EndPositive/dns-tunneling-benchmark]) repository. +Comparison of slipstream and other existing DNS tunneling tools can be found in the [EndPositive/dns-tunneling-benchmark](https://github.com/EndPositive/dns-tunneling-benchmark) repository. Main findings: @@ -96,29 +144,6 @@ Main findings: * 23/19 Mbps upload/download speed for direction connections * automatically maximizes query rate according to resolver rate-limit -# Building from source - -```shell -# build deps on debian: cmake, pkg-config, libssl-dev, ninja-build, clang -$ git clone --recurse-submodules https://github.com/EndPositive/slipstream.git -$ cd slipstream/ -$ cmake \ - -DCMAKE_BUILD_TYPE=Release \ - -DCMAKE_MAKE_PROGRAM=ninja \ - -DCMAKE_C_COMPILER=clang \ - -DCMAKE_CXX_COMPILER=clang++ \ - -G Ninja \ - -S . \ - -B ./build -$ cmake \ - --build ./build \ - --target slipstream \ - -j 18 -# mark as executable and install to your system -$ chmod +x ./build/slipstream -$ mv ./build/slipstream ~/.local/bin -``` - # Acknowledgements David Fifield's DNSTT and Turbo Tunnel concept has been a massive source of inspiration. diff --git a/docs/file_transfer_times_dark.png b/docs/file_transfer_times_dark.png new file mode 100644 index 0000000..b0a456a Binary files /dev/null and b/docs/file_transfer_times_dark.png differ diff --git a/docs/file_transfer_times_light.png b/docs/file_transfer_times_light.png new file mode 100644 index 0000000..d784e70 Binary files /dev/null and b/docs/file_transfer_times_light.png differ