» [Cross Platform] LaBrea: "Sticky" Honeypot and IDS

[MaXe]

Hi there,


So what is LaBrea?

Quote:

LaBrea takes over unused IP addresses, and creates virtual servers
that are attractive to worms, hackers, and other denizens of the Internet.
The program answers connection attempts in such a way that the machine at
the other end gets "stuck", sometimes for a very long time.

How does it work?

Quote:

LaBrea works by watching ARP requests and replies. When the pgm
sees consecutive ARP requests spaced several seconds apart, without
any intervening ARP reply, it assumes that the IP in question is
unoccupied. It then "creates" an ARP reply with a bogus MAC address,
and fires it back to the requester.

An example (from a tcpdump of LaBrea running on my network):
14:18:28.832187 ARP who-has xx.xx.xx.13 tell xx.xx.xx.1
14:18:29.646402 ARP who-has xx.xx.xx.13 tell xx.xx.xx.1
14:18:31.707295 ARP who-has xx.xx.xx.13 tell xx.xx.xx.1
14:18:31.707574 ARP reply xx.xx.xx.13 is-at 0:0:f:ff:ff:ff

There is no xx.xx.xx.13 machine on my network. In this case,
the timeout was set to 3 seconds (it's a command line
parameter), and when that final "who-has" came in, the "is-at"
reply that you see was generated by LaBrea.

There isn't a MAC address of 0:0:f:ff:ff:ff either. It doesn't
exist.

But now, the router (xx.xx.xx.1) believes that there some
machine at xx.xx.xx.13, and that it resides on the MAC address
0:0:f:ff:ff:ff, and so it dutifully sends packets on. In
essence, we've created a "virtual machine" on that IP address.

Now, LaBrea also watches for TCP traffic destined for the ether
address 0:0:f:ff:ff:ff. When it sees an inbound TCP SYN packet,
it replies with a SYN/ACK that "tarpits" that connection
attempt. Everything else is ignored. (Well... sort of. LaBrea
also tries to give its "virtual machines" some character... you
can ping them, and they respond to a SYN/ACK with a RST...)

There's more to it than that (obviously...) but you'll need to
read further.

What is Tarpitting?

Quote:

A tarpit (also known as Teergrube, the German word for tarpit) is
a service on a computer system (usually a server) that delays incoming
connections for as long as possible. The technique was developed as a
defense against a computer worm, and the idea is that network abuses
such as spamming or broad scanning are less effective if they take too
long. The name is analogous with a tar pit, in which animals can get bogged
down and slowly sink under the surface.

Why should I run it?

Quote:

If you're a network administrator, I don't REALLY need to explain
this. They're out there, every day... 24/7/365. The scanners.
They're out there and you get to sit and watch them beat on your
network, doing reconnissance. Now you have a chance to make their
life more difficult.

Besides that... it's fun.

And, as Mihnea so wonderfully put it, you can come into work in the
morning, look at your logfiles and say "Wow - I'm *actually* saving
the world"

OK, maybe "saving the world" is a little much...

Personally i think this sounds quite cool, as you can make multiple un-
real computers AND make it work like an IDS. Might as well see if it really
does do the job.

Of course, Snort is the prefered IDS however that is not as easy to set
up as LaBrea i guess, thus it's cool it can do 2 things at once. The only
thing i don't know is how good it does it :)


~ MaXe

External Links:
LaBrea
http://en.wikipedia.org/wiki/Tarpit_(networking)

[hestas]

looks interesting, i might look into it...maybe.