Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away…...
-
Upload
luis-marrison -
Category
Documents
-
view
230 -
download
1
Transcript of Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away…...
![Page 1: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/1.jpg)
Network Decoys - ISTS 1
Network Decoys
Perhaps if we confuse them enough, they’ll just
go away… ;-)
![Page 2: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/2.jpg)
Network Decoys - ISTS 2
Goals
• Hide and lie about the structure and composition of our networks in order to confuse and delay attackers
• Do so in a way that legitimate users of our systems and servers are not hindered.
![Page 3: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/3.jpg)
Network Decoys - ISTS 3
Types of Decoys
• Tarpits• Router-responders• Kernel modifications and
settings• Fake services• Full honeypots
![Page 4: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/4.jpg)
Network Decoys - ISTS 4
Decoy Tools
• LaBrea• IPTables• IPPersonality• WinX registry settings• Linux kernel parameters• Portsentry• VMWare• User-Mode Linux
![Page 5: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/5.jpg)
Network Decoys - ISTS 5
LaBrea
• “Sticky” Honeypot• Holds machines for days or
weeks.• Effective at holding dumb
scanning worms• http://www.hackbusters.net/La
Brea.html
![Page 6: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/6.jpg)
Network Decoys - ISTS 6
LaBrea install
• rpm –Uvh ftp://ftp.stearns.org/pub/wstearns/labrea/labrea-2.3-1.i386.rpm
• Read documentation in /usr/share/doc/labrea-2.3/LaBrea.README
• Edit /etc/labrea.conf, uncomment: #LABREAZ=“-z”
• Add any other needed options.
![Page 7: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/7.jpg)
Network Decoys - ISTS 7
LaBrea warnings
• Run only on the network segment that holds the IPs you’re tarpitting
• Use the exclude files in /etc to list any IP’s in use so LaBrea will never fight machines that aren’t always there.
![Page 8: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/8.jpg)
Network Decoys - ISTS 8
IPTables
• Is that system there or not?• Filtering out icmp echo requests
and replies to existing machines.• Responding for nonexistant
machines• Sending Resets in response to
malicious packets (use with care!)
![Page 9: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/9.jpg)
Network Decoys - ISTS 9
IPTables – filtering icmp echos
• iptables –I INPUT –p icmp –icmp-type echo-request –j DROP
• iptables –I INPUT –p icmp –icmp-type echo-reply –j DROP
![Page 10: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/10.jpg)
Network Decoys - ISTS 10
IPTables – limiting outbound traffic
• iptables –I OUTPUT –p icmp –icmp-type echo-reply –j DROP
• iptables –I OUTPUT –p icmp –icmp-type time-exceeded –j DROP
• iptables –I OUTPUT –p icmp –icmp-type fragmentation-needed –j ACCEPT
• iptables –I OUTPUT –p icmp –icmp-type destination-unreachable –j DROP
![Page 11: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/11.jpg)
Network Decoys - ISTS 11
IPTables – responding for nonexistant machines
for OneHost in 1.2.3.4 1.2.3.5 ; doiptables –I –p udp –d $OneHost –j REJECT \--reject-with port-unreachiptables –I –p tcp –d $OneHost –j REJECT \--reject-with tcp-resetiptables –I –p icmp –d $OneHost –j DROPiptables –I –d $OneHost –j REJECT \--reject-with proto-unreach
done
![Page 12: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/12.jpg)
Network Decoys - ISTS 12
IPTables – shutting down malicious connections
iptables –A FORWARD –p tcp –d 1.2.3.0/24 \
--dport 23 –tcp-flags ACK ACK –m string \--string "r00t" –j LOGiptables –A FORWARD –p tcp –d
1.2.3.0/24 \--dport 23 –tcp-flags ACK ACK –m string \--string "r00t" –j REJECT
![Page 13: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/13.jpg)
Network Decoys - ISTS 13
OS Fingerprinting
• Queso• Nmap• P0f (passive OS fingerprinting)• Ettercap
![Page 14: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/14.jpg)
Network Decoys - ISTS 14
OS Fingerprinting - One side effect
• If you change these fields to ones not used by an existing OS, you’ve uniquely fingerprinted your own box.
![Page 15: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/15.jpg)
Network Decoys - ISTS 15
IPPersonality
• Modifies characteristics to confuse nmap
• Additional modules to iptables• http://ippersonality.sourceforge.net• Can emulate a different OS quite
readily if run on actual system• Can at least confuse nmap if run
on an intermediate router.
![Page 16: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/16.jpg)
Network Decoys - ISTS 16
WinX registry settings
• Confusing p0f• All of the following keys can be
modified with regedit.• All keys except MSS can be found
under:• HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\Tcpip\Parameters
• We can’t modify Noop or Packet size
![Page 17: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/17.jpg)
Network Decoys - ISTS 17
Window Size
• “GlobalMaxTcpWindowSize”=dword:00010000
• “TcpWindowSize”=dword:00010000
![Page 18: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/18.jpg)
Network Decoys - ISTS 18
Time to live
• “DefaultTTL”=dword:00000030
![Page 19: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/19.jpg)
Network Decoys - ISTS 19
Maximum segment size
• Under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\<Adapter>\
• “MTU”=dword:000005dc• “EnablePMTUBHDetect”=dword:000
00000• “EnablePMTUDiscovery”=dword:000
00000
![Page 20: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/20.jpg)
Network Decoys - ISTS 20
Don’t Fragment
• Make the same PMTU changes as in the last slide to disable the DF flag.
![Page 21: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/21.jpg)
Network Decoys - ISTS 21
Window Scaling
• “Tcp1323Opts”=dword:00000001
![Page 22: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/22.jpg)
Network Decoys - ISTS 22
Sack OK
• “SackOpts”=dword:00000000
![Page 23: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/23.jpg)
Network Decoys - ISTS 23
Linux kernel parameters
• Configured by writing values to /proc/sys/net/ipv4
• Additional documentation in /usr/src/linux/Documentation/networking/ip-sysctl.txt
• Again, we can’t modify noop or packet size
![Page 24: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/24.jpg)
Network Decoys - ISTS 24
Window size
• tcp_window_scaling (0 or 1)• tcp_app_win
![Page 25: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/25.jpg)
Network Decoys - ISTS 25
Time to Live
• ip_default_ttl (default 64)• To set a new default TTL:• echo 32
>/proc/sys/net/ipv4/ip_default_ttl
![Page 26: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/26.jpg)
Network Decoys - ISTS 26
Maximum segment size
• We can indirectly influence this by modifying the MTU (default: 1500 for ethernet).
• To set MSS to 1000, use MSS=MTU-40
• ifconfig eth0 mtu 1040
![Page 27: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/27.jpg)
Network Decoys - ISTS 27
Don’t Fragment
• ip_no_pmtu_disc (default 0 = false; this means Path MTU discovery is turned ON)
• To stop linux from performing Path MTU discovery, turning OFF the DF flag:
• echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc
![Page 28: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/28.jpg)
Network Decoys - ISTS 28
Window Scaling
• tcp_window_scaling (default 1 = true)
• To disable window scaling:• echo 0
>/proc/sys/net/ipv4/tcp_window_scaling
![Page 29: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/29.jpg)
Network Decoys - ISTS 29
Sack OK
• tcp_sack (default 1)• To turn off sacks:• echo 0
>/proc/sys/net/ipv4/tcp_sack
![Page 30: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/30.jpg)
Network Decoys - ISTS 30
Portsentry
• Listens on a large number of ports.• Looks for portscans, or connections
to vulnerable ports• Can automatically block the
scanner via route, ipfwadm/ipchains, or tcp wrappers
• http://www.psionic.com/abacus/portsentry/
![Page 31: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/31.jpg)
Network Decoys - ISTS 31
Honeypots
• Full functioning systems that tie up the attackers attention, allowing you to monitor their actions and capture their tools.
• Not a defense tool, but a passive monitoring tool.
• http://www.honeynet.org
![Page 32: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/32.jpg)
Network Decoys - ISTS 32
Honyepots – Physical systems
• Physical box with full OS• Advantages: exactly identical
to an operational system• Disadvantage: expensive, time
consuming to set up and perform analysis
![Page 33: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/33.jpg)
Network Decoys - ISTS 33
Honeypots – VMWare
• VMWare simulates an X86 physical box in software, allowing you to run a virtual machine and X86 OS underneath Windows or Linux
• Advantage: reduced hardware cost• Disadvantages: inability to make
custom changes to the environment, cost of Vmware, cpu overhead, X86 only.
• http://www.vmware.com
![Page 34: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/34.jpg)
Network Decoys - ISTS 34
Honeypots – User-Mode Linux
• Version of the linux kernel that runs inside an existing linux installation
• Advantages: low cpu and memory overhead, easy to set up and analyze, reduced hardware cost
• Disadvantages: Linux only on host and client
• http://user-mode-linux.sourceforge.net
![Page 35: Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)](https://reader033.fdocuments.us/reader033/viewer/2022050723/56649c7b5503460f9492f72a/html5/thumbnails/35.jpg)
Network Decoys - ISTS 35
Credits and Thanks
• Chris Brenton• Matt Scarborough• Authors of the respective
packages