Persistent c2 and data connection in agent to c2 server scenario

andre1sk · March 2, 2018, 1:08pm

Hey guys. I need a solution for c2/data aquisition& analysis server to have a persistent connection to agents in up to 100K agents per server range. Ideally with low overhead, multiplexing and ideally some QoS to prioritize control channel messages over the data channel. Any good recommendations/advice for Elixir or Erlang lib.(s) that could help would be really appreciated (as well as arch. tips or any other relevant wisdom ) . The aim is to build a POC that will potentially convince people to adopt Elixir for at least communication/c2 portion of the product.

OvermindDL1 · March 2, 2018, 11:08pm

/me has no clue what c2 is

So basically 100k TCP connections or something? Or usermode SCTP?

andre1sk · March 3, 2018, 12:06am

yep up to 100K TCP

OvermindDL1 · March 3, 2018, 1:46am

In that case…

QoS would likely be handled at the hardware side, multiplexing maybe too unless you go SCTP or so, as for low overhead, you’d probably want UDP instead if you can tolerate loss (unless TCP/SCTP is low enough overhead already)?

andre1sk · March 3, 2018, 2:35am

TCP is fine just don’t want to roll my own solution for multiplexing control and data “channels” with ability to prioritize control channel over data channel (and ideally ability to throttle data channel). Although it might not be too much work? Haven’t really done any network servers since college pretty much was doing purely web dev. work.

OvermindDL1 · March 3, 2018, 2:50am

Yeah that’s not really a TCP feature though, more an SCTP feature (and sadly not a usermode SCTP thing last I saw, though usermode SCTP can do the rest of it quite well)… ^.^;

Performing it on the software side can still cause the TCP buffer to grow in the kernel to the window size, which then causes the throughput to tank when it does start back up for a while. If you really want to throttle honestly I’d use something more like UDP, which will scale much better, and using usermode SCTP (emulated on UDP instead of being IP level SCTP since a lot of routers and Windows out in the wild are retardedly stupid for not following specs properly, which is why usermode SCTP exists at all instead of just using the IP level SCTP protocol) would gain you a lot of functionality essentially ‘for free’ especially if you want reliability (if you don’t want reliability, then honestly just use UDP straight as the hardware stack usually throttles it automatically to keep the network useable, ‘in general’).

Overall though, need more information about the setup, the information, how reliable it needs to be, how ordered it needs to be, how large it will be at most, how sporadic it will be, is it stateful or stateless packets, etc… etc…

andre1sk · March 3, 2018, 3:18am

SCTP looks interesting. In the current product there is no persistent connection between server and agents agent checks in periodically with the server and might receive some jobs to run or commands to execute and also provides info on it’s state, status of jobs etc. Some job results could be large files (few gigs) but mostly it’s low volume. There are downsides to this model (mainly having to wait for checking interval) so my idea is to build a POC that has agent establish persistent connection to the server. It might make sense to have persistent SCTP connection for command and control and have an agent establish TCP connection when it needs to move large amount of data I guess.

OvermindDL1 · March 3, 2018, 3:43am

SCTP is entirely suited for large data as well, even more so than TCP due to it’s multiplexing and multiple channels (you can still send other data on one channel even while sending huge data on another channel for example).

andre1sk · March 3, 2018, 3:46am

Cool thank you just started reading up on SCTP got confused by message oriented vs stream oriented thing. Looks like it totally could be the solution thank you for all the info will continue to dig in

OvermindDL1 · March 3, 2018, 3:52am

Honestly SCTP would have taken over instead of TCP if not for Windows being monumentally stupid like always.

OvermindDL1 · March 3, 2018, 3:59am

Also, for IP level SCTP, the BEAM comes with it built in. For usermode SCTP (built on UDP) I think it might be in already, either that or it still has a PR for it…

EDIT1: Looks like it’s still pending as a PR, so you’d need to implement it yourself (or swipe this implementation), maybe you can push it along to get it merged?

github.com/erlang/otp

Experimental usrsctp support

erlang:master ← falkevik:usrsctp_event_cb_otp_upgrade

opened 09:46AM - 22 Nov 17 UTC

falkevik

+1063 -71

Experimental support for usrsctplib. Any feedback appreciated. The main idea …is to use usrsctplib from within the emulator using `gen_sctp` as for the current SCTP support. But this makes the SCTP stack run within the beam. This mainly enabled me to have SCTP on macOS without running unsigned sctp kernel extensions. It might also be possible to get usrsctplib support to work on windows. I have only tested on macOS and Linux. Some modifications has been made to usrsctp which can be found on below github repo and branch. I.e. passing already opened raw sockets to the lib and event callback support when socket is ready. https://github.com/falkevik/usrsctp/tree/event_callback_support So how to try it. First install the usrsctplib from the above branch. When done you can enable usrsctp support when configuring otp. `./configure --enable-sctp=usrsctp` should start looking for the usrsctp header. When done and compiled as usual. On Linux you can go with adding cap_net_raw; `setcap cap_net_raw+ep /path/to/beam.smp`. On macOS I pass already opened raw sockets as arguments to the beam. New flags are `+zsctp_raw_ipv4 <fd>` `+zsctp_raw_ipv6 <fd>` `+zsctp_raw_route <fd>` setuid_socket_warp can be used for this, which is slightly modified to set additional options on the raw socket before dropping privileges. `setuid_socket_wrap -t +zsctp_raw_ipv4,sctp -T +zsctp_raw_ipv6,sctp -z +zsctp_raw_route,sctp` So to the actual code changes, the idea is that when not enabled it should not affect at all. This need extra code review I think, there a lot of `#ifdef`s that might have ended up badly. There are some other changes that I need feedback on how to do it properly. Since we don't have any real file descriptor that we can put in the` select`/`poll` I register a callback when socket is ready to be read. When this callback is invoked, I check if the socket are in active mode or not. If it is in active mode, the port are scheduled to be run `erts_port_task_schedule` as select would have done if the fd was ready. To be able to use this call from the inet_drv driver I had to make them available from somewhere. Currently in `erts/emulator/sys/common/erl_sys_common_misc.c`, where to put this kind of code?

EDIT2: Or of course just use UDP and implement whatever reliability you want manually (maybe a side TCP channel too, in which case can just use TCP entirely if you are okay with the limitations). ^.^:

/me may be getting too detailed, TCP is fine for most uses…