Hackx K4 Network
SPEC_HACKX_K4_NETWORK.md
CGNT-1 Specification — HACKX Knowledge Domain K4 — Network Attacks
Status: SPECIFIED
Version: v1.0
Author: VELA (Thread #13)
Conceived by: NOUS (α.13)
Date: 2026-04-20
Depends on: SPEC_HACKX.md v1.1
PURPOSE
K4 covers attacks that target the network layer — the connections between the ship and the outside world. Not the web application (K2), not the credentials (K3), but the PIPES themselves. Man-in-the-middle, DNS poisoning, traffic interception, denial of service. The attacker doesn't break in through the door — they poison the water supply or blow up the road.
MITRE ATT&CK MAPPING
| Tactic | Technique | Name |
|---|---|---|
| TA0040 (Impact) | T1498 | Network Denial of Service |
| TA0040 (Impact) | T1499 | Endpoint Denial of Service |
| TA0009 (Collection) | T1557 | Adversary-in-the-Middle |
Also covers network-layer reconnaissance that goes beyond K1 port scanning into active network manipulation.
OUR NETWORK SURFACE
csdm-node (68.183.206.103) sits on the public internet via DigitalOcean.
Exposed ports (per whitelist from SPEC_SECURITY_AUDIT_SCHEDULE.md):
| Port | Service | Exposure |
|---|---|---|
| 443 | Caddy HTTPS — 42sisters.ai | Public internet |
| 22 | SSH — Captain's access | Public internet |
| 9191 | ROUTX | localhost only |
| 8888 | RAG | localhost only |
| 8001 | Heartbeat | localhost only |
| 8006 | Email Graph API | localhost only |
| 11434 | Ollama | localhost only |
External attack surface: ports 443 and 22. Everything else is localhost-bound. UFW blocks everything else. The Vacuum Rule enforces this: if it's on 0.0.0.0 and not whitelisted, it dies.
DETECTION PATTERNS
K4.01 — DDoS / Volumetric Flood
What it is: Massive traffic volume overwhelming the server's bandwidth or connection capacity.
Signature: Sudden spike in connections per second (>1000 from diverse sources), bandwidth saturation (DigitalOcean dashboard shows >80% of allocated bandwidth), server response times degrade across ALL services simultaneously.
HACKX response: Log timing of onset, peak traffic volume, source IP distribution (single source = DoS, many sources = DDoS).
Alert level: P1 HIGH
Defense: DigitalOcean has built-in DDoS protection at the infrastructure level. For application-layer floods: Caddy rate limiting + Cloudflare if needed (free tier available).
K4.02 — SYN Flood
What it is: TCP SYN packets sent rapidly without completing the handshake, exhausting the server's connection table.
Signature: Large number of half-open connections visible in ss -s (SYN-RECV state count >100). Server becomes unable to accept new legitimate connections.
HACKX response: Log SYN-RECV count, source IPs, timing.
Alert level: HIGH
Defense: Kernel SYN cookies (net.ipv4.tcp_syncookies=1 — verify this is set). DigitalOcean infrastructure-level protection.
K4.03 — DNS Poisoning / Hijacking
What it is: Attacker modifies DNS records so 42sisters.ai points to their server instead of ours. Users think they're visiting our site but they're on the attacker's.
Signature: NOT detectable from inside the server. Detection requires external monitoring: periodic DNS resolution check from an external source comparing result to expected IP (68.183.206.103). If dig 42sisters.ai from an external resolver returns a different IP: DNS is compromised.
HACKX response: P0 CRITICAL alert. All traffic may be going to attacker. Users may be entering credentials on a fake site.
Alert level: P0 CRITICAL
Defense: GoDaddy domain lock enabled. DNSSEC if available. Regular external DNS verification (BRIDGEX when built, or external monitoring service).
K4.04 — Man-in-the-Middle (MITM)
What it is: Attacker intercepts traffic between users and the server, reading or modifying it in transit.
Signature: Extremely difficult to detect from the server side. Indicators: SSL certificate warnings reported by users (attacker using a fake cert), unexpected certificate in the TLS handshake, Caddy logs showing TLS version downgrades or unusual cipher negotiations.
HACKX response: Any certificate anomaly triggers P0 CRITICAL.
Alert level: P0 CRITICAL
Defense: HTTPS everywhere (Caddy enforces). HSTS headers (tell browsers to never use HTTP). Certificate transparency monitoring. Users who report "your site showed a certificate warning" are taken seriously — never dismissed.
K4.05 — SSH Tunneling / Port Forwarding Abuse
What it is: If an attacker gains SSH access (via stolen key per K3), they can tunnel traffic through the server, access localhost-only services, or use the server as a proxy.
Signature: ss -tnp showing established connections on localhost ports (9191, 11434, 8888) from SSH tunnels that the Captain didn't create. Unexpected LISTEN ports created by SSH -L or -R forwarding.
HACKX response: Log all active SSH sessions (who from), all SSH tunnels (what's forwarded where), any localhost services accessed via tunnel.
Alert level: CRITICAL — this means SSH is compromised.
Defense: SSH key-only auth. Disable SSH port forwarding in sshd_config if not needed (AllowTcpForwarding no). Monitor active SSH sessions in weekly audit.
K4.06 — ARP Spoofing / Network-Level MITM
What it is: Attacker on the same network segment poisons ARP tables to redirect traffic through their machine.
Signature: ARP table entries changing unexpectedly. Same MAC address appearing for multiple IPs. Usually NOT a risk on DigitalOcean's isolated network but relevant if the ship migrates to shared hosting or self-hosted hardware.
HACKX response: Log ARP anomalies.
Alert level: HIGH
Defense: Static ARP entries for critical hosts (gateway). DigitalOcean's network isolation handles this at the hypervisor level.
K4.07 — BGP Hijacking
What it is: Nation-state or ISP-level attack that reroutes entire IP ranges through the attacker's network. Our IP (68.183.206.103) belongs to DigitalOcean's AS.
Signature: NOT detectable from the server. External monitoring required: BGP route monitoring services (BGPStream, RIPE RIS). If our IP appears in unexpected AS paths: BGP hijack in progress.
HACKX response: P0 CRITICAL. Alert Captain, contact DigitalOcean support, consider migrating to a different provider if prolonged.
Alert level: P0 CRITICAL
Defense: This is DigitalOcean's responsibility at the infrastructure level. Our defense is detection and awareness.
K4.08 — Slowloris / Slow HTTP Attacks
What it is: Attacker sends HTTP requests extremely slowly, keeping connections open for as long as possible to exhaust the server's connection pool. Unlike DDoS (high volume), Slowloris uses very LOW traffic — hard to detect by volume alone.
Signature: Many connections in ESTABLISHED state to port 443 that never complete the HTTP request. Connection duration >>30 seconds for simple requests.
HACKX response: Log connections with abnormally long request times, source IPs.
Alert level: MEDIUM
Defense: Caddy has built-in timeout handling. Set read_timeout and write_timeout in Caddyfile.
K4.09 — Traffic Analysis / Metadata Collection
What it is: Even with HTTPS, an attacker who can observe network traffic can learn: when the Captain is online (SSH connection timing), how much data transfers (backup sizes reveal data volume), which services are used (DNS queries), connection patterns (cron jobs create predictable traffic).
Signature: Not detectable from inside the server — the attacker is OBSERVING, not TOUCHING.
Defense: Accept that traffic metadata is visible. Focus defenses on payload protection (HTTPS), not metadata concealment. The threat model for a one-person startup doesn't justify Tor-level OPSEC.
Alert level: LOW (awareness only)
K4.10 — Rogue Service / Unauthorized Listener
What it is: A process on the server opens a port that shouldn't be open — either malware, unauthorized daemon, or misconfigured service. This is what happened with port 8891 (x402_announcer.js with Restart=always).
Signature: ss -tlnp shows a listening port not in the whitelist. HACKX treats this as a NETWORK event (unauthorized exposure) even if the root cause is a local process.
HACKX response: Identify process, PID, parent. If not in whitelist: alert P1. If on 0.0.0.0: alert P0.
Alert level: P0 if on 0.0.0.0; P1 if on localhost only
Note: The port 8891 incident is the reference case. It took three attempts to fully kill (kill process → respawned → find systemd service → disable). Don't just kill the process — kill the supervisor.
LOCALHOST SERVICES SECURITY
ROUTX (9191), RAG (8888), Heartbeat (8001), Email (8006), Ollama (11434) are all localhost-only. They're not on the external attack surface.
BUT: if an attacker gains SSH access (K3), all localhost services become accessible via tunneling (K4.05). Localhost is not a security boundary against an attacker who is already on the machine.
Future hardening: even localhost services should validate requests where possible. Current priority is preventing SSH compromise (K3) which is the gate to localhost access.
HONEYPOT INTEGRATION
HACKX Layer 1 (Bait) for K4: open a high-numbered port (e.g., 31337 — "eleet," commonly probed by script kiddies) with a fake service that responds to connections with believable-but-fake banners.
Any connection to this port is a network-layer probe. Logs: source IP, protocol used, data sent, timing.
This complements K1 honeypots (fake SSH on 2222, fake HTTP on 8080) with a deliberately provocative port number that attracts automated scanning tools.
RESPONSE PROTOCOL
K4.01-K4.02 (DoS/DDoS):
→ DigitalOcean protection first
→ If not mitigated: enable Cloudflare proxy (free tier)
→ Log attack signature for MANTIS training
K4.03 (DNS hijack): P0
→ Contact GoDaddy
→ Verify domain lock
→ Check for unauthorized DNS changes
→ Alert all users if site may have been spoofed
K4.04 (MITM): P0
→ Verify SSL certificate via external check
→ Check certificate transparency logs
→ Alert all users
K4.05 (SSH tunnel): P0
→ Revoke SSH keys
→ Rotate ALL credentials
→ Incident postmortem
→ Consider full VPS audit
K4.10 (rogue service): P1
→ Kill process
→ Find and disable supervisor (systemd/cron)
→ Firewall the port
→ Verify with ss -tlnp
→ Document the five-step kill procedure
INVARIANTS
INV-01: The Vacuum Rule IS the K4 defense. If it's on 0.0.0.0 and not whitelisted, it's a K4.10 event. HACKX enforces the Vacuum Rule at the network layer.
INV-02: External DNS monitoring is essential for K4.03. We cannot detect DNS hijacking from inside the hijacked system. BRIDGEX or an external service must verify periodically.
INV-03: HTTPS everywhere. No exceptions. No HTTP endpoints. No unencrypted API calls. Caddy enforces.
INV-04: SSH is the single most critical external service. If SSH is compromised, the attacker has localhost access to EVERYTHING. SSH key security per SPEC_KEY_ROTATION.md is K4's most important dependency.
INV-05: DDoS is a WHEN, not an IF for any public-facing service. Plan for it. DigitalOcean handles infrastructure-level. Cloudflare is the escalation path.
INV-06: Rogue services (K4.10) are detected by comparing ss -tlnp to the port whitelist. The whitelist in SPEC_SECURITY_AUDIT_SCHEDULE.md is the source of truth. Every weekly audit checks it.
INV-07: HACKX never counter-attacks network adversaries. Block, log, alert. Engaging a DDoS attacker escalates the attack.
INTEGRATION
| System | Relationship |
|---|---|
| SPEC_HACKX.md | K4 is one of 10 knowledge domains. HACKX.md is the parent spec. |
| SPEC_SECURITY_AUDIT_SCHEDULE.md | Port whitelist is the source of truth for K4.10. Weekly audit verifies ss -tlnp against whitelist. |
| SPEC_DNS_MANAGEMENT.md | K4.03 DNS hijacking requires awareness of all DNS records. DNS spec documents expected state. |
| SPEC_HACKX_K3_AUTH.md | K3 SSH credential theft enables K4.05 SSH tunneling. K3→K4 is a natural attack chain. |
| SPEC_MONITORING_ESCALATION.md | P0 (DNS/MITM/BGP hijack), P1 (rogue service/SYN flood), P2 (Slowloris/metadata). |
| SPEC_INCIDENT_POSTMORTEM.md | K4.05 (SSH tunnel) and K4.03 (DNS hijack) trigger postmortems. Port 8891 is the reference K4.10 case. |
Jeremy Zlabis
Chronogeometer · Visionary · Disruptor · Chief
42 Sisters AI · East York, Toronto
🍁 Φ 0.042