Ants watch is a DHT client monitoring tool. It is able to log the activity of all nodes in a DHT network by carefully placing ants in the DHT keyspace. For nodes to utilize the DHT they need to perform routing table maintenance tasks. These tasks consists of requesting other nodes close to oneself in the DHT keyspace. Ants watch ensures that at least one of these requests will always hit one of the ants. If a request hits an ant we record information about the requesting peer like agent version, supported protocols, IP addresses, and more.
Supported networks:
- Celestia
- Can be extended to support other networks using the libp2p DHT.
- An
antis a lightweight libp2p DHT node, participating in the DHT network, and logging incoming requests. antsparticipate in the DHT network as DHT server nodes.antsneed to be dialable by other nodes in the network. Hence,ants-watchmust run on a public IP address either with port forwarding properly configured (including local and gateway firewalls) or UPnP enabled.- The tool releases
ants(i.e., spawns newantnodes) at targeted locations in the keyspace in order to occupy and watch the full keyspace. - The tool's logic is based on the fact that peer routing requests are distributed to
kclosest nodes in the keyspace and routing table updates by DHT client (and server) nodes need to find thekclosest DHT server peers to themselves. Therefore, placing approximately 1antnode everykDHT server nodes can capture all DHT client nodes over time. - The routing table update process varies across implementations, but is by default set to 10 mins in the go-libp2p implementation. This means that
antswill record the existence of DHT client nodes approximately every 10 mins (or whatever the routing table update interval is). - Depending on the network size, the number of
antsas well as their location in the keyspace is adjusted automatically. - Network size and peers distribution is obtained by querying an external Nebula database.
- All
antsrun from within the same process, sharing the same DHT records. - The
ant queenis responsible for spawning, adjusting the number and monitoring the ants as well as gathering their logs and persisting them to a central database. ants-watchdoes not operate like a crawler, where after one run the number of DHT client nodes is captured.ants-watchlogs all received DHT requests and therefore, it must run continuously to provide the number of DHT client nodes over time.
You need go-migrate to run the clickhouse database migrations:
make tools
# or
go install -tags 'clickhouse' github.com/golang-migrate/migrate/v4/cmd/[email protected]You can then start a Clickhouse database with:
make local-clickhouse
# or
docker run --name ants-clickhouse --rm -p 9000:9000 -p 8123:8123 -e CLICKHOUSE_DB=ants_local -e CLICKHOUSE_USER=ants_local -e CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT=1 -e CLICKHOUSE_PASSWORD=password clickhouse/clickhouse-serverThis will start a Clickhouse server with the container name ants-clickhouse that's accessible on the non-SSL native port 9000. The relevant database parameters are:
- host:
localhost - port:
9000 - username:
ants_local - password:
password - database:
ants_local - secure:
false
Then you need to apply the migrations with:
make local-migrate-upThis will take the migration files in the ./db/migrations directory and strip all the Replicated merge tree prefixes before applying the migrations.
The Replicated merge tree table engines only work with a clustered clickhouse deployment (e.g., clickhouse cloud). When
running locally, you will only have a single clickhouse instance, so applying Replicated migrations will fail.
I'm all ears how to improve the workflow here.
The following environment variables should be set for ants-watch:
ANTS_CLICKHOUSE_ADDRESS=localhost:9000
ANTS_CLICKHOUSE_DATABASE=ants_local
ANTS_CLICKHOUSE_USERNAME=ants_local
ANTS_CLICKHOUSE_PASSWORD=password
ANTS_CLICKHOUSE_SSL=false
ANTS_NEBULA_CONNSTRING=postgres://nebula:password@localhost/nebula?sslmode=disable # change with proper values for the datbase you want to useOnce the database is set up and migrations are applied, you can start the honeypot.
ants-watch needs to be dialable by other nodes in the network. Hence, it must run on a public IP address either with port forwarding properly configured (including local and gateway firewalls) or UPnP enabled.
To start the ants queen, you can run the following command:
go run ./cmd/ants queen --upnp # for UPnP
# or
go run ./cmd/ants queen --first.port=<port> --num.ports=<count> # for port forwardingWhen UPnP is disabled, ports from firstPort to firstPort + nPorts - 1 must be forwarded to the machine running ants-watch. ants-watch will be able to spawn at most nPorts distinct ants.
You can run a health check on the honeypot by running the following command:
go run . healthThe queen ant periodically queries the Nebula database to retrieve the list of connected DHT servers. Kademlia identifiers of these peers are then inserted into a binary trie. Using this binary trie, the queen defines keyspace zones of at most bucket_size - 1 peers. One ant must be present in each of these zones in order to capture all DHT requests reaching the bucket_size closest peers to the target key.
Kademlia identifiers are derived from a libp2p peer id, which itself is derived from a cryptographic key pair. Hence generating a key matching a specific zone of the binary trie isn't trivial and requires bruteforce. All keys generated during the bruteforce are persisted on disk, because they may be useful in the future. When an ant isn't needed anymore, its key is marked as available for reuse. This also allows reusing the same peer ids for the ants across multiple runs of the honeypot.
- hydra-booster - A DHT Indexer node & Peer Router
Feel free to dive in! Open an issue or submit PRs.
Standard Readme follows the Contributor Covenant Code of Conduct.
MIT © ProbeLab