Latest Announcemnent
New thread

IP Tunneling for server security

Status
Not open for further replies.
S

streambox

Member
18
2013
0
0
Hi guys,

We're setting up a video streaming website, and looking for ways to protect ourselves.
The plan is to host all the content in NL, but even so I think it's always a bit of a risk.
So we want to implement an IP tunneling system so that all content would appear to come from another place, like Antigua.
The problem with using just a reverse proxy is that all the actual traffic will have to go through it, which is not really an option with video streaming.

I've looked into other options and it seems the best choice is to set up a LVS system using the IP Tunnel option. This way the "master" server could be hosted anywhere, and will manage direct connections to the real servers, encapsulating their IPs.

So my question is, does anyone have experience with this, does it work, or am I barking up the wrong tree?
 
25 comments
Could you post a traffic flow diagram of your LVS system. If you need to hide the traffic source completely, you need to tunnel entire traffic. Otherwise it's possible to detect real location.
 
OK here's a rough diagram:

https://www.dropbox.com/s/yznvqvdwmp4kad1/lvs.jpg

When the user requests for example http://publicip/videos/video1.mp4, the LVS server will pick one of the servers and pass the request there. Then, the response from the hidden server is sent straight to the user, with the source address set as the public server, not the hidden one.

At least, that is my understanding of the system according to this:
8. LVS: LVS-Tun

But you are saying the hidden IP can still be found this way? Rerouting the whole traffic through the LVS server is not really an option, due to geographical locations and the amount of bandwidth required!
 
Hi Streambox. There may be a very ugly way of doing it but it requires your ISP hasn't got any sort of resrictions that prevent IP spoofing.

I recall once connecting 2 networks to a single server with 2 IP addresses

So 1 server had IP 123.123.123.123 (NetA) and at the same time had IP 234.234.234.234 (NetB). Each network connection required it's own gateway.

I had assumed that if you ping 1 IP, the 'pong' would come out FROM that network of which the ping was initially recieved but actually it goes out on the default gateway.

So outbound traffic would always go out of NetA even if the request went in through NetB. The outgoing packet did appear to come from NetB however.

So what you might be able to send out packets from a 'spoofed' address as long as you can correctly direct those request packets to the spoofing server from the public server.

It's kind of silly and ugly, but it might work.
 
Hi Steambox,

I'm not really sure if there is any way around it. The problem is tunneling, by definition, means traffic will be routed via the public IP. As you have pointed out, not really suitable for streaming. But there is no way to use the actual bandwidth of your hidden servers without reveling their true location, or spoofing the IP of which data is sent from. At least, not that I can think of.

There is another way. It may cost a bit extra but it may be more suitable.

You can have your hidden and public server in close proximity to one another. Possibly in the same datacenter, but not necessary. They need only be close enough for the bandwidth to be cheap and high capacity. You then use it just a 'reverse proxy'/ tunnel. Store no information on the server at all. Have a basic bootable OS and boot into a RAM drive. If your machine ever gets shut down, all data is wiped leaving the location of your hidden server kept secret. Of course there is always some way to track down lines of communication but this may be the best performing and easiest to implement option.
 
Or you can do -

Buy 4 servers. 3 from NL as you said, and use them for your storage and encoding and de-coding. and one public server.

Example
server-1 (2000K DDos Protected LA server) = must be your public server. User hit on this server and this server has some kind of protection (ddos or kind shit like that). It's good for google because it's LA. It's good for you because it have 2000K PPS (Anti DDoS shit). Use your video stemming script here (designed by a PAK Company). Now on this script has ability not only like Youtube it can use multi-server video storage and encoding. When a user watching a video he didn't even know your video stored on NL server :)

server-2 = Use this server for videos encoding. You just need that spacial video script and no fu*king tunnel shit. Encode all videos people or you upload on the main site will be encode here.

server-3,4 = for your storage.

Even you can add more servers everyday. If you like to remove a server - just click few buttons and videos distributes on other servers and then you can delete that server. And the user never know.

Now that's called a awesome job. you can inbox me if you want :)
 
Hmmmmmm yes, that could work, I believe this is actually common practice here for bittorrent sites... But it's not too hard to sniff the connections and follow the IPs...

Ideally we'd want the public IP to be in a completely different country to muddy the waters more...

I have a wild idea, in theory it's doable... User "ping" goes to offshore server, which then passes it on to the real server. Real server sends the "pong" data to the user, but with a spoofed source address, changed to match the address of the offshore server. So, any replies sent for that packet will go to the spoofed origin, the offshore server, and redirected back to the real server. This way there is no encapsulation, and only the offshore server knows the IP of the real server...
 
Man.. that cloudy IP tunneling shit slow down your server access. The best process what I described - use the php script and forget everything else.Or you can use proxy shit like internal VPN. all your servers IP will be going under that VPN on hosted at your main public server. No body going to find the real IP as like TPB style. But that's too risky.. Who still didn't join Pirates Party of India. :)Thanks
 
Ravim,

Performance wise, the solution I suggested is probably going to be the best because it uses the traffic of the storage server. Only inbound traffic is 'tunneled' and outbound traffic goes direct. Tunneling inbound traffic is not an issue as it would make up a tiny proportion of the overall traffic consumed and becomes even less relevant in UDP transmission.
 
Well in the end we were able to set up LVS-TUN, the main issue is the service provider's network security, in most cases they will block outbound spoofed traffic, but we asked nicely so they made an exception. System works rather nicely!
 
Hi Steambox,

Looks like you're hosted in Singapore... I don't know the real IP but to get the latency down to what it is, the server must be located in close proximity to the public IP server...
 
Status
Not open for further replies.
Back
Top