-Passive and proactive network security tools, based on cyber deception technologies, become more and more popular among classic tools. Using such tools gives an opportunity to prevent network attacks on the very beginning - at intelligence gathering stage. In this work we research one of these deceptive tools - a network tarpit. Based on LaBrea taprit, we investigate some fingerprints of its algorithms, that may lead to tarpit detecting and lowering overall security level. We used an open source detection tool Degreaser to find LaBrea's unmasking features, classify them and calculate their influence on the possibility of tarpit discovering. Our main goal was to provide methods to improve network tarpit obscuring capabilities, ridding of revealed unmasking features. These methods were later implemented as modules and integrated in our network tarpit called NetHole, that uses LaBrea as prototype and has no revealed shortcomings. The efficiency of modifications made was then tested in a set of tests with the same detection tool Degreaser.
INTRODUCTION
Large part of modern network attacks is being conducted for
intelligence gathering issues, to reveal the topology of the
network being attacked and security tools being used in this
network [
Among other security tools there is a subclass based on
deception tactics [
II.
COMPROMISING FEATURES
One of the main advantages of deceptive network security
tools is their invisibility. Intruders, in their turn, actively create
new and modify existing tools for uncovering honeypots and
network tarpits, making them useless. Deceptive security tools
can be compromised by detecting their unique fingerprints,
which can be also called unmasking features. To achieve this,
attackers may use either common network traffic analyzers as
nmap, zenmap, ethereal, arping, tethreal, etc, or special tools,
developed for discovering proactive security tools [
We used one of such special tools, Degreaser [
a) A hardcoded MAC-address: LaBrea uses (00:00:0F:FF:FF:FF)16 address regardless of physical address of network adapter it works on. Network tarpits are often used against threats outside LAN, where layer-2 address cannot be seen. Moreover, multiply IP-addresses can be assigned for single network interface.
TCP-ports of fake host, resulting in all TCP-ports to seem opened. There are 65536 possible ports on every host and it takes 216 requests per host to check every port on it. Such scanning cost is too high.
c) Delayed response: There is a time delay between ARP-request and response in LaBrea promiscuous mode. It’s also a secondary fingerprint, because there always can be interferences causing such delays.
2) Discriminating features, which lead to reliable tarpit detection. They are:
d) TCP window size: Fundamental feature of tarpit-like host is manipulation with TCP-window size. Default window size used by LaBrea is 10 bytes. This value is configurable, but only once before running the tarpit. Small size of TCP window is the first sign of tarpit presence.
e) TCP options: TCP options can be used by hosts to negotiate additional functionality. Typically, these options are set by operating systems during establishing TCP connection. LaBrea establishes its own TCP sessions, bypassing system level, so it has to manage TCP options itself, but it is not implemented. Ignoring TCP options is a second significant fingerprint of LaBrea presence.
So, there should be a balance between effectiveness of network protection tools and possibility of them to be discovered using their unmasking features. The main goal of our work is to find that balance, developing methods to decrease the level of informativity of network tarpits’ unmasking features.
III.
NETHOLE
We investigated Degreaser source code to find out the fingerprints it searches for and created NetHole, that has no unmasking features listed above, using LaBrea as prototype.
The first method to lower the possibility of uncovering network tarpit being used is in the following.
The set of available IP addresses is divided preliminarly into subsets of authorized and used (connected) addresses of network devices, authorized and temporarily unused network addresses, the rest of set is marked as forbidden to be used by network tarpit (Table I). The main idea of this method is to increase the functioning realism of protected network.
Dividing all IP addresses in such set will not cause a situation of a network, where every address is available like a false host, thus lowering the possibility of used network tarpit being revealed. In addition, all attempts to establish connection with hosts with IP addresses from forbidden set can be identified as network topology scanning or attacks themselves.
A hardcoded MAC address used by LaBrea (fig. 1) is a clear network tarpit fingerprint. MAC address is a unique 6-bytes number used for identification of Ethernet frames sender and receiver that is set by the manufacturer of network adapter. be:97:a6:1c:2a:ef Router d4:e2:da:95:eb:3f Router
Broadcast Router Broadcast Router Broadcast
Router
To hide this fingerprint, we used random MAC addresses for every fake host. We suggest 3 different options for a physical addresses generator:
generating completely random MAC address for every fake host. To start with, we make an array of physical addresses of currently active local network devices. Then, we generate random sequence of hexadecimal numbers of size J, where J is an amount of false hosts needed. To avoid the situation with duplicate MAC adresses in one network segment, we need to check whether every generated address is already in use by any of real network devices. This address must not also be null (00:00:00:00:00:00)16 or broadcast (ff:ff:ff:ff:ff:ff)16. While at least one of these conditions is true, address will be regenerated and then checked again. After that we align every i-th MAC address with a j-th IP address of false host.
The general algorithm of network tarpit with this modification is described next. When ARP request to any i-th IP address from given set is received, and if this IP address is from temporarily unused addresses subset, response packet is generated with TCP window size of 10 bytes and the aligned jth MAC address in TCP header. This packet is send then to initial sender on behalf of fake host.
The described method was implemented in NetHole tarpit, its effectiveness was tested in a series of tests, the main purpose of which was to compare the discovering rate of LaBrea and NetHole. To identify the network tarpit, i.e. the unmasking feature of used security tool, we analyzed the intercepted ARP packets with Wireshark. Table (II) represents the dump of ARP protocol. The response on request “What MAC address does the host with i-th IP address have?” is “The i-th IP address is set to the host with j-th MAC address”, where j-th MAC address is randomly generated.
Partially random MAC-address: The second option of described method suggests using a database with unique vendors MAC octets (table III). The three upper octets of generating MAC address are got from this database, the rest remain random, as described in the first option. In order the imitating network to seem more realistic, the vendor is chosen randomly every time. Using this option leads to resulting false network to contain devices made by real companies.
ratio: The third option assumes preliminary ARP-scanning of protected network in order to identify vendors of the local devices by their MAC-addresses using the database described above. It gives us a percentage ratio of used network devices, using which we can imitate the most true-to-life false network.
The LaBrea never adds TCP options in headers of generated response packets. To improve believability of answers being sent, we decided to add the TCP option support. This feature reads all options from incoming request packet and copies them into the response packet, excluding “TCP Timestamp” option. This option contains two 4-byte fields with timestamps. The «Timestamp Value» (Tsval) field contains the packet sender’s current value of timestamp. Firstly, it’s copied to «Timestamp Echo Reply» (Tsecr) field and then the current system uptime value is written in it.
We used Degreaser to test this feature. While scanning, Degreaser, among other tests, checks presence of any TCP options in response packets. Table (IV) contains the output of network scanning with LaBrea running in it.
Degreaser identifies scanned hosts as network tarpits. In the “TCP options” column found options are given. As stated at table (IV), all hosts which are considered to be the “LaBrea tarpit” have no TCP-options. Table (V) contains the results of network testing with NetHole working in it The “TCP options” column now contains Maximum Segment Size (M), Windows
options. Degreaser cannot discover that all these hosts are held by network tarpit.
Network tarpits use TCP flow control to catch attackers by changing the TCP window size, so it can be attributed to other uncovering features. LaBrea sets TCP window size to 10 bytes by default. The Degreaser’s algorithm checks this parameter after checking TCP options, and if it is less than control value, the host is considered to be a potential tarpit.
IP Address ─ SA ─ SA SA ─ ─ SA ─ ─ ─ ─ ─ ─ ─ ─
In NetHole we use a small (up to 255 bytes) but random TCP window size. It may be a result of additional traffic received by tarpit, but it hides the unmasking fingerprint at the same time. On the fragment of TCP dump below the randomly generated window size of 195 bytes is highlighted.
Source Port: 22 Destination Port: 48414 [Stream index: 5] [TCP Segment Len: 0]
Sequence number: 0 (relative sequence number)
Acknowledgment number: 1 (relative ack number)
Header Length: 20 bytes Flags: 0x012 (SYN, ACK) Window size value: 195 [Calculated window size: 195] [SEQ/ACK analysis] No response No response Degreaser scanning output is shown in table VI.
The main purpose of network tarpits is to hang the network session with attacker as long as possible. LaBrea ignores all data packets after TCP session is established, compromising itself. Degreaser exploits this feature, sending a TCP packet with random data, which size is “TCP window size – 1”, and waits for response. If there is no response, currently scanned host is considered to be a tarpit. In order to hide this feature, we implemented a module for sending confirmation tickets after receiving any packet with data. The idea is to send a TCP-ACK packet with adjusted window size in response to TCP packet with PUSH flag.
The example of network interaction between Degreaser (with IP address 212.193.1.10) and NetHole (with IP address 212.193.1.28) could be seen in Table (VII). There are five TCP packets, three of them were used for connection establishing, the 4th is a 9-bytes data packet and the 5th is a TCP-ACK packet sent as a confirmation ticket.
SA ─ ─ ─ ─ ─ SA SA
As listed in table (VIII), there are no TCP options in all responses, TCP window size is 10 bytes, that is less than default minimal value for Degreaser, but all these hosts are not considered to be real hosts, neither common network tarpit, nor LaBrea tarpit especially, because of send TCP-ACK confirmation packets.
Using the tests described above we confirmed that using the developed modules leads to increasing the effectiveness of network tarpit and its stealthiness level through decreasing the possibility of its uncovering and identification by intruders.
Available:
git
2014.