My botnet


I have a small fleet to Raspberry Pi 3 machines distributed on friends and family houses. All of them are behind NAT so direct network access is not possible.

How do I access them? 2 ways

Reverse SSH tunnel

This one is easy, I have a dedicated Public IP Address (C&C Server) with a SSH listening on ports 443 and 22 and a bunch of restricted users

/etc/ssh/sshd_config

PermitTunnel yes

Match User pi1-cn
  AllowTcpForwarding yes
  PermitOpen 192.168.125.17:8888
  PermitTTY no
  PermitTunnel no
  GatewayPorts clientspecified

Match User pi2-ar
  AllowTcpForwarding yes
  PermitOpen 127.0.0.1:40000 192.168.125.17:14891
  PermitTTY no
  PermitTunnel no
  GatewayPorts clientspecified

And so on, I connect to some of the PIs from outside the C&C machine so I have to specify GatewayPorts to allow them to bind to something else than localhost

On my laptop I just configure ProxyCommand then I can reach them :)

Iodine

This one is harder, but waaaay cooler

I run iodined in the C&C server clients will connect and get and IP from a pool, nothing special here.

How can I predict which machine will get which IP?

Solution is easy, just run multiple iodined instances on different ports, bind them to localhost and put dnsmasq in front of them to redirect the traffic. So awesome

/etc/default/iodined1

IODINED_ARGS="-f -u iodine -t /var/run/iodine -c 192.168.94.9/30 pi1.domain.tld -l 127.0.0.1 -p 1053 -n <public ip>"
IODINED_PASSWORD="A long random string"

/etc/default/iodined2

IODINED_ARGS="-f -u iodine -t /var/run/iodine -c 192.168.94.12/30 pi2.domain.tld -l 127.0.0.1 -p 1054 -n <public ip>"
IODINED_PASSWORD="Another long random string"

/etc/dnsmasq.conf

server=/pi1.domain.tld/127.0.0.1#1053
server=/pi2.domain.tld/127.0.0.1#1054

I'm really happy with this solution because:

  • The network traffic between the C&C and the PIs runs over the ISPs backbone since is DNS traffic it may be carried over in their backbone instead of public internet what should give a better connectivity. Or nothing, the ISP does not have anything special for DNS requests and it goes over the public internet like any other traffic.
  • I don't want my C&C to be an open DNS resolver, so nobody can use it to perform DDOS attacks. Neither use my resources (the C&C runs in a constrained environment and bandwidth is expensive)

The second point was really important so before using dnsmasq I tried to configure forwarding-only-recursive-open-to-any-IP-not-recursive-for-3rd-party-domains DNS servers with Bind and Unbound but none of them allowed me to do what I wanted to do. Frustrated by this I tried dnsmasq and it really does what I need and using very few resources :) a win-win

NOTICE

I don't perform any kind of network attack, DDOS, or any other kind of bad behavior using this (or other) machines, I call them my botnet because I think is a cute way to call them, the C&C server is just a VPS I use for something else with a second IP and a second SSH server running.

I don't use the machines that often but the most common usage I give to them is when I travel.

I run traceroute/mtr/ping and other network tools from each PI to the Public IP of the Hotel/Caffe/Conference I am in and enjoy my own looking glass

Also I use them when I change DNS records for a customer or myself to see how fast the the records propagate.

RIPE and the Tor foundation both do something similar.