Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)

Published byLuis Marrison Modified over 10 years ago

Similar presentations

Presentation on theme: "Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)"— Presentation transcript:

1 Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)

2 Network Decoys - ISTS 2 Goals Hide and lie about the structure and composition of our networks in order to confuse and delay attackers Do so in a way that legitimate users of our systems and servers are not hindered.

3 Network Decoys - ISTS 3 Types of Decoys Tarpits Router-responders Kernel modifications and settings Fake services Full honeypots

4 Network Decoys - ISTS 4 Decoy Tools LaBrea IPTables IPPersonality WinX registry settings Linux kernel parameters Portsentry VMWare User-Mode Linux

5 Network Decoys - ISTS 5 LaBrea “Sticky” Honeypot Holds machines for days or weeks. Effective at holding dumb scanning worms http://www.hackbusters.net/LaBrea.htmlhttp://www.hackbusters.net/LaBrea.html

6 Network Decoys - ISTS 6 LaBrea install rpm –Uvh ftp://ftp.stearns.org/pub/wstearns/labre a/labrea-2.3-1.i386.rpm ftp://ftp.stearns.org/pub/wstearns/labre a/labrea-2.3-1.i386.rpm Read documentation in /usr/share/doc/labrea- 2.3/LaBrea.README Edit /etc/labrea.conf, uncomment: #LABREAZ=“-z” Add any other needed options.

7 Network Decoys - ISTS 7 LaBrea warnings Run only on the network segment that holds the IPs you’re tarpitting Use the exclude files in /etc to list any IP’s in use so LaBrea will never fight machines that aren’t always there.

8 Network Decoys - ISTS 8 IPTables Is that system there or not? Filtering out icmp echo requests and replies to existing machines. Responding for nonexistant machines Sending Resets in response to malicious packets (use with care!)

9 Network Decoys - ISTS 9 IPTables – filtering icmp echos iptables –I INPUT –p icmp –icmp- type echo-request –j DROP iptables –I INPUT –p icmp –icmp- type echo-reply –j DROP

10 Network Decoys - ISTS 10 IPTables – limiting outbound traffic iptables –I OUTPUT –p icmp –icmp-type echo-reply –j DROP iptables –I OUTPUT –p icmp –icmp-type time-exceeded –j DROP iptables –I OUTPUT –p icmp –icmp-type fragmentation-needed –j ACCEPT iptables –I OUTPUT –p icmp –icmp-type destination-unreachable –j DROP

11 Network Decoys - ISTS 11 IPTables – responding for nonexistant machines for OneHost in 1.2.3.4 1.2.3.5 ; do iptables –I –p udp –d $OneHost –j REJECT \ --reject-with port-unreach iptables –I –p tcp –d $OneHost –j REJECT \ --reject-with tcp-reset iptables –I –p icmp –d $OneHost –j DROP iptables –I –d $OneHost –j REJECT \ --reject-with proto-unreach done

12 Network Decoys - ISTS 12 IPTables – shutting down malicious connections iptables –A FORWARD –p tcp –d 1.2.3.0/24 \ --dport 23 –tcp-flags ACK ACK –m string \ --string "r00t" –j LOG iptables –A FORWARD –p tcp –d 1.2.3.0/24 \ --dport 23 –tcp-flags ACK ACK –m string \ --string "r00t" –j REJECT

13 Network Decoys - ISTS 13 OS Fingerprinting Queso Nmap P0f (passive OS fingerprinting) Ettercap

14 Network Decoys - ISTS 14 OS Fingerprinting - One side effect If you change these fields to ones not used by an existing OS, you’ve uniquely fingerprinted your own box.

15 Network Decoys - ISTS 15 IPPersonality Modifies characteristics to confuse nmap Additional modules to iptables http://ippersonality.sourceforge.net Can emulate a different OS quite readily if run on actual system Can at least confuse nmap if run on an intermediate router.

16 Network Decoys - ISTS 16 WinX registry settings Confusing p0f All of the following keys can be modified with regedit. All keys except MSS can be found under: HKEY_LOCAL_MACHINE\SYSTEM\Curre ntControlSet\Services\Tcpip\Parameters We can’t modify Noop or Packet size

17 Network Decoys - ISTS 17 Window Size “GlobalMaxTcpWindowSize”=dword :00010000 “TcpWindowSize”=dword:0001000 0

18 Network Decoys - ISTS 18 Time to live “DefaultTTL”=dword:00000030

19 Network Decoys - ISTS 19 Maximum segment size Under: HKEY_LOCAL_MACHINE\SYSTEM\Curre ntControlSet\Services\Tcpip\Parameters \ \ “MTU”=dword:000005dc “EnablePMTUBHDetect”=dword:000000 00 “EnablePMTUDiscovery”=dword:000000 00

20 Network Decoys - ISTS 20 Don’t Fragment Make the same PMTU changes as in the last slide to disable the DF flag.

21 Network Decoys - ISTS 21 Window Scaling “Tcp1323Opts”=dword:00000001

22 Network Decoys - ISTS 22 Sack OK “SackOpts”=dword:00000000

23 Network Decoys - ISTS 23 Linux kernel parameters Configured by writing values to /proc/sys/net/ipv4 Additional documentation in /usr/src/linux/Documentation/netw orking/ip-sysctl.txt Again, we can’t modify noop or packet size

24 Network Decoys - ISTS 24 Window size tcp_window_scaling (0 or 1) tcp_app_win

25 Network Decoys - ISTS 25 Time to Live ip_default_ttl (default 64) To set a new default TTL: echo 32 >/proc/sys/net/ipv4/ip_default_ttl

26 Network Decoys - ISTS 26 Maximum segment size We can indirectly influence this by modifying the MTU (default: 1500 for ethernet). To set MSS to 1000, use MSS=MTU-40 ifconfig eth0 mtu 1040

27 Network Decoys - ISTS 27 Don’t Fragment ip_no_pmtu_disc (default 0 = false; this means Path MTU discovery is turned ON) To stop linux from performing Path MTU discovery, turning OFF the DF flag: echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc

28 Network Decoys - ISTS 28 Window Scaling tcp_window_scaling (default 1 = true) To disable window scaling: echo 0 >/proc/sys/net/ipv4/tcp_window_s caling

29 Network Decoys - ISTS 29 Sack OK tcp_sack (default 1) To turn off sacks: echo 0 >/proc/sys/net/ipv4/tcp_sack

30 Network Decoys - ISTS 30 Portsentry Listens on a large number of ports. Looks for portscans, or connections to vulnerable ports Can automatically block the scanner via route, ipfwadm/ipchains, or tcp wrappers http://www.psionic.com/abacus/portsen try/http://www.psionic.com/abacus/portsen try/

31 Network Decoys - ISTS 31 Honeypots Full functioning systems that tie up the attackers attention, allowing you to monitor their actions and capture their tools. Not a defense tool, but a passive monitoring tool. http://www.honeynet.org

32 Network Decoys - ISTS 32 Honyepots – Physical systems Physical box with full OS Advantages: exactly identical to an operational system Disadvantage: expensive, time consuming to set up and perform analysis

33 Network Decoys - ISTS 33 Honeypots – VMWare VMWare simulates an X86 physical box in software, allowing you to run a virtual machine and X86 OS underneath Windows or Linux Advantage: reduced hardware cost Disadvantages: inability to make custom changes to the environment, cost of Vmware, cpu overhead, X86 only. http://www.vmware.com

34 Network Decoys - ISTS 34 Honeypots – User-Mode Linux Version of the linux kernel that runs inside an existing linux installation Advantages: low cpu and memory overhead, easy to set up and analyze, reduced hardware cost Disadvantages: Linux only on host and client http://user-mode-linux.sourceforge.net

35 Network Decoys - ISTS 35 Credits and Thanks Chris Brenton Matt Scarborough Authors of the respective packages

Download ppt "Network Decoys - ISTS 1 Network Decoys Perhaps if we confuse them enough, they’ll just go away… ;-)"

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Transparent Caching The art of caching network traffic without requiring user / browser side configuration.

Transparent Caching The art of caching network traffic without requiring user / browser side configuration.
Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.

Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Examining IP Header Fields

Examining IP Header Fields
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
Linux Networking Commands

Linux Networking Commands
Port Scanning.

Port Scanning.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September 1981. The purpose.

Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.

Similar presentations

Ads by Google