Contributors:
Peter A. H. Peterson, UCLA. pahp@…
David Morgan, USC. davidmor@…
DeterLab is a security and education-enhanced version of Emulab. Funded by the National Science Foundation and the Department of Homeland Security, DETER is hosted by USC/ISI and UC Berkeley.
"USC/ISI’s DeterLab (cyber DEfense Technology Experimental Research Laboratory) is a state-of-the-art scientific computing facility for cyber-security researchers engaged in research, development, discovery, experimentation, and testing of innovative cyber-security technology. DeterLab is a shared testbed providing a platform for research in cyber security and serving a broad user community, including academia, industry, and government. To date, DeterLab-based projects have included behavior analysis and defensive technologies including DDoS attacks, worm and botnet attacks, encryption, pattern detection, and intrusion-tolerant storage protocols. [ 1 ]."
DETER (like Emulab) offers user accounts with assorted permissions associated with different experiment groups. Each group can have its own preconfigured experimental environments running on Linux, BSD, Windows, or other operating systems. Users running DETER experiments have full control of real hardware and networks running preconfigured software packages. These features make it an ideal platform for computer science and especially computer security education. Many instructors have designed class exercises (homework assignments, project assignments, in-class demos, etc.) consisting of a lab manual, software, data, network configurations, and machines from DETER's pool. This allows each student to run her own experiments on dedicated hardware.
The software running DETER will load operating system images (low level disk copies) onto to free nodes in the testbed, and then reconfigure programmable switches to create VLANs with the newly-imaged nodes connected according to the topology specified by the experiment creator. After the system is fully imaged and configured, DETER will execute specified scripts, unpack tarballs, and/or install rpm files according to the experiment's configuration. The end result is a live network of real machines, accessible via the Internet.
Before you can perform the tasks described in your exercise assignment, you will, in many cases, need to create an experiment in DeterLab to work on. This will be your environment to use whenever you need it. To create a new experiment:
Your experiment is made up of one or more machines on the internal DETER network, which is behind a firewall. To access your experimental nodes, you'll need to first SSH to users.deterlab.net
. If you don't know how to use SSH, see our tutorial (TBD).
users.deterlab.net
(or users
for short) is the "control server" for DETER. From users
you can contact all your nodes, reboot them, connect to their serial ports, etc.
Once you log in to users
, you'll need to SSH again to your actual experimental nodes. Since your nodes' addresses may change every time you swap them in, it's best to SSH to the permanent network names of the nodes. Here's how to figure out what their names are:
Once your experiment has swapped in:
node1.YourExperiment.YourProject.isi.deterlab.net
.
users.deterlab.net
, your nodes are swapped in, and you know their network name(s), you can SSH from users
to your experimental nodes by executing: ssh node1.YourExperiment.YourProject.isi.deterlab.net
. You will not need to re-authenticate.
ssh newuser@node1.YourExperiment.YourProject.isi.deterlab.net
or ssh newuser@localhost
from the experimental node.
Congratulations! Your lab environment is now set up, and you can get to work at the tasks in your lab manual. Make sure you read the "Things to keep in mind" section below!
Some labs benefit from Port Forwarding. Port Forwarding is a technique that can allow you to access your experimental nodes directly from your desktop computer. This is especially useful for accessing web applications running on your experimental nodes. See our ssh tutorial for more information.
Finally, when you are done working with your nodes, you should save your work and swap out the experiment so that someone else can use the physical machines.
Carefully read the evolving version of this document.
Every user on DeterLab has a home directory on users.deterlab.net
which is mounted via NFS (Network File System) to experimental nodes. This means that anything you place in your home directory on one experimental node (or the users
machine) is visible in your home directory on your other experimental nodes. Your home directory is private, so you may save your work in that directory. However, everything else on experimental nodes is permanently lost when an experiment is swapped out.
Make sure you save your work in your home directory before swapping out your experiment'''
Another place to save your files would be /proj/YourProject
. This directory is also NFS-mounted to all experimental nodes so same rules apply about writing to it a lot, as for your home directory. It is shared by all members of your project/class.
Again, on DeterLab, files ARE NOT SAVED between swap-ins. Additionally, class experiments may be forcibly swapped out after a certain number of idle hours (or some maximum amount of time).
You must manually save copies of any files you want to keep in your home directory. Any files left elsewhere on the experimental nodes will be erased and lost forever. This means that if you want to store progress for a lab and come back to it later, you will need to put it in your home directory before swapping out the experiment.
When you are done with your experiment for the time being, please make sure you save your work into an appropriate location and then swap out your experiment. To do this, use the "Swap Experiment Out" link in the "Experiment Options" panel. (This is the same place that used to have a "Swap Experiment In" link.) This allows the resources to be deallocated so that someone else can use them.
Do not use the potentially misleading "Terminate Experiment" link unless you are completely finished with your exercise. Termination will erase the experiment and you won't be able to swap it back in without recreating it.
Swapping out is the equivalent of temporarily stopping the experiment and relinquishing the testbed resources. Swapping out is what you want to do when you're taking a break from the work, but coming back later. Terminating says "I won't need this experiment again, ever." This may be confusing, especially since "Swap Out" seems to imply that it saves your progress (it doesn't, as described above). Just remember to Swap In/Out, and never "Terminate" unless you're sure you're completely done with the experiment. If you do end up terminating an experiment, you can always go back and recreate it.
Each exercise manual has a section entitled "Submission Instructions," and your instructor may have given you additional instructions for submission. Follow the instructions in that section, and submit your work to your instructor.
Unless otherwise instructed, it's a good idea to include:
Please check the following list of questions for answers. If you do not find an answer to your question here or elsewhere, please email your instructor or TA. Do not email testbed ops unless specifically instructed to do so by your instructor.
DeterLab has an automatic blacklist mechanism. If you enter the wrong username and password combination too many times, your account will no longer be accessible from your current IP address. If you think that this has happened to you, you can try logging in from another address (if you know how), or you can email your instructor or TA and specify your IP address. They will relay the request to the testbed ops that this specific blacklist entry should be erased.
If you have questions you think should be added to this FAQ, or other information you think should be added to this document, please contact us.