=Paper=
{{Paper
|id=Vol-2081/paper19
|storemode=property
|title=Hiding Computer Network Proactive Security Tools Unmasking Features
|pdfUrl=https://ceur-ws.org/Vol-2081/paper19.pdf
|volume=Vol-2081
|authors=Roman V. Maximov,Sergey P. Sokolovsky,Alexey L. Gavrilov
}}
==Hiding Computer Network Proactive Security Tools Unmasking Features==
https://ceur-ws.org/Vol-2081/paper19.pdf
Hiding Computer Network Proactive Security Tools
Unmasking Features
Roman V. Maximov, Sergey P. Sokolovsky, Alexey L. Gavrilov
Shtemenko Krasnodar Higher Military School
Krasnodar, Russia
rvmaxim@yandex.ru; ssp.vrn@mail.ru; aleks02.94@mail.ru
Abstract—Passive and proactive network security tools, based
on cyber deception technologies, become more and more popular II. COMPROMISING FEATURES
among classic tools. Using such tools gives an opportunity to One of the main advantages of deceptive network security
prevent network attacks on the very beginning – at intelligence
tools is their invisibility. Intruders, in their turn, actively create
gathering stage. In this work we research one of these deceptive
tools – a network tarpit. Based on LaBrea taprit, we investigate
new and modify existing tools for uncovering honeypots and
some fingerprints of its algorithms, that may lead to tarpit network tarpits, making them useless. Deceptive security tools
detecting and lowering overall security level. We used an open can be compromised by detecting their unique fingerprints,
source detection tool Degreaser to find LaBrea’s unmasking which can be also called unmasking features. To achieve this,
features, classify them and calculate their influence on the attackers may use either common network traffic analyzers as
possibility of tarpit discovering. Our main goal was to provide nmap, zenmap, ethereal, arping, tethreal, etc, or special tools,
methods to improve network tarpit obscuring capabilities, ridding developed for discovering proactive security tools [25, 26].
of revealed unmasking features. These methods were later We used one of such special tools, Degreaser [25, 26], for
implemented as modules and integrated in our network tarpit
testing LaBrea and informativity of its fingerprints and figured
called NetHole, that uses LaBrea as prototype and has no revealed
shortcomings. The efficiency of modifications made was then
out the following two types of unmasking features:
tested in a set of tests with the same detection tool Degreaser. 1) Unreliable features, that can’t be a total evidence of
tarpit presence. They are:
Keywords—information security; proactive defence; network a) A hardcoded MAC-address: LaBrea uses
tarpit; network security tools; unmasking features; cyber deception; (00:00:0F:FF:FF:FF)16 address regardless of physical address of
network intelligence gathering network adapter it works on. Network tarpits are often used
I. INTRODUCTION against threats outside LAN, where layer-2 address cannot be
seen. Moreover, multiply IP-addresses can be assigned for
Large part of modern network attacks is being conducted for single network interface.
intelligence gathering issues, to reveal the topology of the
network being attacked and security tools being used in this b) Opened TCP ports: LaBrea answers to requests to all
TCP-ports of fake host, resulting in all TCP-ports to seem
network [1-3]. Automated scanning tools are used in such
opened. There are 65536 possible ports on every host and it
attacks with high possibility.
takes 216 requests per host to check every port on it. Such
Among other security tools there is a subclass based on
scanning cost is too high.
deception tactics [4-7]. Its main idea is not in increasing the
power or the amount of tools being used but to provide illusions c) Delayed response: There is a time delay between
about network topology, thus slowing automated scanners and ARP-request and response in LaBrea promiscuous mode. It’s
confusing manual attackers. One of such applications is so also a secondary fingerprint, because there always can be
called honeypot [8-21]. More complex ways of network interferences causing such delays.
deception include not only topology illusion and false 2) Discriminating features, which lead to reliable tarpit
vulnerable hosts production but proactive defense in addition, detection. They are:
e.g. trapping connections with attacker, exhausting his d) TCP window size: Fundamental feature of tarpit-like
resources for maintaining connection state. A large number of host is manipulation with TCP-window size. Default window
such trapped connections lead to slowdowning of automated size used by LaBrea is 10 bytes. This value is configurable, but
network scanners or even may cause an impossibility of overall only once before running the tarpit. Small size of TCP window
network interaction for the intruder caught by. These tools, is the first sign of tarpit presence.
called network tarpits [22, 23], may work as standalone e) TCP options: TCP options can be used by hosts to
deception applications or be included in firewall packets, e.g. negotiate additional functionality. Typically, these options are
Linux Netfilter Tarpit, part of Xtables-addons [24]. set by operating systems during establishing TCP connection.
LaBrea establishes its own TCP sessions, bypassing system
level, so it has to manage TCP options itself, but it is not
88
�implemented. Ignoring TCP options is a second significant To hide this fingerprint, we used random MAC addresses for
fingerprint of LaBrea presence. every fake host. We suggest 3 different options for a physical
So, there should be a balance between effectiveness of addresses generator:
network protection tools and possibility of them to be
1) Fully random MAC address: First option supposes
discovered using their unmasking features. The main goal of
generating completely random MAC address for every fake
our work is to find that balance, developing methods to decrease
host. To start with, we make an array of physical addresses of
the level of informativity of network tarpits’ unmasking
currently active local network devices. Then, we generate
features.
random sequence of hexadecimal numbers of size J, where
III. NETHOLE J is an amount of false hosts needed. To avoid the situation with
duplicate MAC adresses in one network segment, we need to
We investigated Degreaser source code to find out the check whether every generated address is already in use by any
fingerprints it searches for and created NetHole, that has no of real network devices. This address must not also be null
unmasking features listed above, using LaBrea as prototype. (00:00:00:00:00:00)16 or broadcast (ff:ff:ff:ff:ff:ff)16. While at
The first method to lower the possibility of uncovering least one of these conditions is true, address will be regenerated
network tarpit being used is in the following. and then checked again. After that we align every i-th MAC
address with a j-th IP address of false host.
A. Address space
The general algorithm of network tarpit with this
The set of available IP addresses is divided preliminarly into
modification is described next. When ARP request to any
subsets of authorized and used (connected) addresses of
i-th IP address from given set is received, and if this IP address
network devices, authorized and temporarily unused network
is from temporarily unused addresses subset, response packet is
addresses, the rest of set is marked as forbidden to be used by
generated with TCP window size of 10 bytes and the aligned j-
network tarpit (Table I). The main idea of this method is to
th MAC address in TCP header. This packet is send then to initial
increase the functioning realism of protected network.
sender on behalf of fake host.
Dividing all IP addresses in such set will not cause a
situation of a network, where every address is available like a The described method was implemented in NetHole tarpit,
false host, thus lowering the possibility of used network tarpit its effectiveness was tested in a series of tests, the main purpose
being revealed. In addition, all attempts to establish connection of which was to compare the discovering rate of LaBrea and
with hosts with IP addresses from forbidden set can be NetHole. To identify the network tarpit, i.e. the unmasking
identified as network topology scanning or attacks themselves. feature of used security tool, we analyzed the intercepted ARP
packets with Wireshark. Table (II) represents the dump of ARP
TABLE I. DIVIDING ADDRESS SPACE protocol. The response on request “What MAC address does the
host with i-th IP address have?” is “The i-th IP address is set to
The set of all available IP-addresses
the host with j-th MAC address”, where j-th MAC address is
Authorized IP addresses subset randomly generated.
Forbidden Partially random MAC-address: The second option of
Used IP addresses IP addresses subset
Temporarily unused described method suggests using a database with unique vendors
subset (real network
IP addresses subset
devices) MAC octets (table III). The three upper octets of generating
MAC address are got from this database, the rest remain random,
as described in the first option. In order the imitating network to
seem more realistic, the vendor is chosen randomly every time.
B. Randomizing MAC address Using this option leads to resulting false network to contain
devices made by real companies.
A hardcoded MAC address used by LaBrea (fig. 1) is a clear
network tarpit fingerprint. MAC address is a unique TABLE II. USING OF GENERATED MAC ADDRESSES
6-bytes number used for identification of Ethernet frames
sender and receiver that is set by the manufacturer of network Contents of ARP-
Sender Receiver
request
adapter. Who has 10.0.0.40?
Router Broadcast
Tell 10.0.0.100
10.0.0.40 is at
be:97:a6:1c:2a:ef Router
be:97:a6:1c:2a:ef
Who has 10.0.0.41? Tell
Router Broadcast
10.0.0.100
Fig. 1. The only hardcoded MAC address used by LaBrea 10.0.0.41 is at
d4:e2:da:95:eb:3f Router
d4:e2:da:95:eb:3f
Who has 10.0.0.42? Tell
Router Broadcast
10.0.0.100
10.0.0.42 is at
3e:8b:0b:d0:dd:ae Router
3e:8b:0b:d0:dd:ae
89
� TABLE III. THE PART OF UNIQUE VENDORS MAC OCTETS DATABASE TABLE IV. THE NETWORK WITH LABREA SCANNING RESULTS
MAC-address Vendor
Window Size
TCP Options
Scan Result
Response
TCP Flags
Time
000142 Cisco Systems, Inc IP Address
00037F Atheros Communications, Inc
000393 Apple, Inc.
212.193.1.210 0 0 ─ ─ No response
0004EA Hewlett Packard
212.193.1.92 257762 10 SA ─ LaBrea
0004E9 Infiniswitch Corporation
212.193.1.198 0 0 ─ ─ No response
000585 Juniper
212.193.1.105 81284 10 SA ─ LaBrea
00059E Zinwell Corporation
212.193.1.195 205014 10 SA ─ LaBrea
212.193.1.121 0 0 ─ ─ No response
2) Partially random MAC-address with real percentage
ratio: The third option assumes preliminary ARP-scanning of 212.193.1.251 0 0 ─ ─ LaBrea
protected network in order to identify vendors of the local 212.193.1.226 127510 10 SA ─ LaBrea
devices by their MAC-addresses using the database described
above. It gives us a percentage ratio of used network devices,
using which we can imitate the most true-to-life false network. In NetHole we use a small (up to 255 bytes) but random
TCP window size. It may be a result of additional traffic
C. Implementing TCP-options received by tarpit, but it hides the unmasking fingerprint at the
The LaBrea never adds TCP options in headers of generated same time. On the fragment of TCP dump below the randomly
response packets. To improve believability of answers being generated window size of 195 bytes is highlighted.
sent, we decided to add the TCP option support. This feature
Source Port: 22
reads all options from incoming request packet and copies them Destination Port: 48414
into the response packet, excluding “TCP Timestamp” option. [Stream index: 5]
This option contains two 4-byte fields with timestamps. The [TCP Segment Len: 0]
«Timestamp Value» (Tsval) field contains the packet sender’s Sequence number: 0 (relative sequence
current value of timestamp. Firstly, it’s copied to «Timestamp number)
Echo Reply» (Tsecr) field and then the current system uptime Acknowledgment number: 1 (relative ack
value is written in it. number)
We used Degreaser to test this feature. While scanning, Header Length: 20 bytes
Degreaser, among other tests, checks presence of any TCP Flags: 0x012 (SYN, ACK)
options in response packets. Table (IV) contains the output of Window size value: 195
[Calculated window size: 195]
network scanning with LaBrea running in it.
[SEQ/ACK analysis]
Degreaser identifies scanned hosts as network tarpits. In the
“TCP options” column found options are given. As stated at TABLE V. THE NETWORK WITH NETHOLE SCANNING RESULTS
table (IV), all hosts which are considered to be the “LaBrea
Window Size
tarpit” have no TCP-options. Table (V) contains the results of
TCP Options
Scan Result
IP Address
Response
TCP Flags
network testing with NetHole working in it The “TCP options”
Time
column now contains Maximum Segment Size (M), Windows
Scale (W), Selective Acknowledgement (S) and Timestamp (T)
options. Degreaser cannot discover that all these hosts are held
by network tarpit. 212.193.1.49 136629 10 SA MVST Real host
D. Random TCP-window size 212.193.1.70 0 0 ─ ─ No response
Network tarpits use TCP flow control to catch attackers by 212.193.1.144 99569 10 SA MVST Real host
changing the TCP window size, so it can be attributed to other
uncovering features. LaBrea sets TCP window size to 10 bytes 212.193.1.125 0 0 ─ ─ No response
by default. The Degreaser’s algorithm checks this parameter 212.193.1.196 0 0 ─ ─ No response
after checking TCP options, and if it is less than control value,
the host is considered to be a potential tarpit. 212.193.1.233 0 0 ─ ─ No response
212.193.1.88 227956 10 SA MVST Real host
212.193.1.140 0 0 ─ ─ No response
90
�Degreaser scanning output is shown in table VI. TABLE VIII. SCANNING RESULTS WITH APPLICATION LEVEL RESPONSES
IMPLEMENTED
TABLE VI. SCANNING RESULTS WITH RANDOMLY GENERATED TCP
Window Size
TCP Options
Scan Result
WINDOW SIZE
IP Address
Response
TCP Flags
Time
Window Size
TCP Options
Scan Result
IP Address
Response
TCP Flags
Time 212.193.1.193 103529 10 SA ─ Real host
212.193.1.73 0 0 ─ ─ No response
212.193.1.144 174390 178 SA ─ Real host
212.193.1.47 0 0 ─ ─ No response
212.193.1.195 149446 230 SA ─ Real host
212.193.1.67 0 0 ─ ─ No response
212.193.1.122 107480 201 SA ─ Real host
212.193.1.87 207563 10 SA ─ Real host
212.193.1.141 128513 52 SA ─ Real host
212.193.1.106 199462 10 SA ─ Real host
212.193.1.226 0 0 ─ ─ No response
212.193.1.105 0 0 ─ ─ No response
212.193.1.146 127476 126 SA ─ Real host
212.193.1.172 0 0 ─ ─ No response
212.193.1.230 2295501 196 SA ─ Real host
212.193.1.73 0 0 ─ ─ No response As listed in table (VIII), there are no TCP options in all
responses, TCP window size is 10 bytes, that is less than default
minimal value for Degreaser, but all these hosts are not
E. Application level responses
considered to be real hosts, neither common network tarpit, nor
The main purpose of network tarpits is to hang the network LaBrea tarpit especially, because of send TCP-ACK
session with attacker as long as possible. LaBrea ignores all confirmation packets.
data packets after TCP session is established, compromising
itself. Degreaser exploits this feature, sending a TCP packet IV. CONCLUSION
with random data, which size is “TCP window size – 1”, and
waits for response. If there is no response, currently scanned Using the tests described above we confirmed that using
host is considered to be a tarpit. In order to hide this feature, we the developed modules leads to increasing the effectiveness
implemented a module for sending confirmation tickets after of network tarpit and its stealthiness level through decreasing
receiving any packet with data. The idea is to send a TCP-ACK the possibility of its uncovering and identification by
packet with adjusted window size in response to TCP packet intruders.
with PUSH flag.
The example of network interaction between Degreaser
(with IP address 212.193.1.10) and NetHole (with IP address REFERENCES
212.193.1.28) could be seen in Table (VII). There are five TCP [1] Hayatle O., Youssef A., Otrok H. Dempster-Shafer Evidence Combining
packets, three of them were used for connection establishing, for Anti-Honeypot Technologies. Inf. Sec. J.: A Global Perspective 21, 6
the 4th is a 9-bytes data packet and the 5th is a TCP-ACK packet (January 2012), 2012, pp. 306-316. DOI:
10.1080/19393555.2012.738375.
sent as a confirmation ticket.
[2] Laurén S., Leppänen V., Rauti S., Uitto J. A Survey on Anti-honeypot and
Anti-introspection Methods. Recent Advances in Information Systems
TABLE VII. IMITATION OF APPLICATION LEVEL RESPONSE
and Technologies - Volume 2, WorldCIST'17, Porto Santo Island,
Madeira, Portugal, April 11-13, 2017, pp. 125-134. DOI: 10.1007/978-3-
Source Destination Protocol Contents 319-56538-5_13.
32622 – 80 [SYN] [3] Markov A.S., Tsirlov V.L. Guidelines for Cybersecurity in the Context of
212.193.1.10 212.193.1.10 TCP ISO 27032, Voprosy kiberbezopasnosti [Cybersecurity issues], 2014, No
Seq=0 Win=5840 Len=0
80 - 32622 [SYN, ACK] 1 (2). P. 28-35. DOI: 10.21681/2311-3456-2014-1-28-35.
212.193.1.28 212.193.1.10 TCP Seq=0 Ack=1 Win=10 [4] Achleitner S., La Porta T., McDaniel P., Sugrim S., Krishnamurthy S.V.,
Len=0 Chadha R. Cyber Deception: Virtual Networks to Defend Insider
32622 – 80 [ACK] Reconnaissance. In Proceedings of the 8th ACM CCS International
212.193.1.10 212.193.1.10 TCP Seq=1 Ack=1 Win=5840 Workshop on Managing Insider Security Threats (MIST '16). ACM, New
Len=0 York, NY, USA, 2016, pp. 57-68. DOI: 10.1145/2995959.2995962.
32622 – 80 [ACK] [5] De Gaspari F., Jajodia S., Mancini L.V., Panico A. AHEAD: A New
212.193.1.10 212.193.1.10 TCP Seq=1 Ack=1 Win=5840 Architecture for Active Defense. In Proceedings of the 2016 ACM
Len=9 Workshop on Automated Decision Making for Active Cyber Defense
80 - 32622 [ACK] (SafeConfig '16). ACM, New York, NY, USA, 2016, pp. 11-16. DOI:
212.193.1.28 212.193.1.10 TCP Seq=1 Ack=1 Win=30 10.1145/2994475.2994481.
Len=0 [6] Shaw T., Arrowood J., Kvasnicka M., Taylor S., Cook K., Hale J.
POSTER: Evaluating Reflective Deception as a Malware Mitigation
Strategy. In Proceedings of the 2017 ACM SIGSAC Conference on
91
� Computer and Communications Security (CCS '17). ACM, New York, Southeast Conference (ACMSE '13). ACM, New York, NY, USA, 2013,
NY, USA, 2017, pp. 2575-2577. DOI: 10.1145/3133956.3138833. Article 44, 2 pages. DOI: 10.1145/2498328.2500094.
[7] Almeshekah M.H., Spafford E.H. Planning and Integrating Deception into [17] Pisarčík P., Sokol P. Framework for distributed virtual honeynets. In
Computer Security Defenses. In Proceedings of the 2014 New Security Proceedings of the 7th International Conference on Security of
Paradigms Workshop (NSPW '14). ACM, New York, NY, USA, 2014, Information and Networks (SIN '14). ACM, New York, NY, USA, 2014,
pp. 127-138. DOI: 10.1145/2683467.2683482. Pages 324, 6 pages. DOI: 10.1145/2659651.2659685.
[8] Du Z., Fan W., Fernández D., Villagrá V.A. Enabling an Anatomic View [18] Laurén S., Rauti S., Leppänen V. An interface diversified honeypot for
to Investigate Honeypot Systems: A Survey. November 2017. IEEE malware analysis. In Proccedings of the 10th European Conference on
Systems Journal 11/2017, pp (99):1-14. DOI: Software Architecture Workshops (ECSAW '16). ACM, New York, NY,
10.1109/JSYST.2017.2762161. USA, 2016, Article 29, 6 pages. DOI: 10.1145/2993412.2993417.
[9] Keil, C., Nawrocki, M., Schmidt, T.C., Schönfelder, J., Wählisch, M.: A [19] Saud Z., Islam M.H. Towards proactive detection of advanced persistent
Survey on Honeypot Software and Data Analysis. arXiv.org, 2016, vol. threat (APT) attacks using honeypots. In Proceedings of the 8th
10, pp. 63-75. International Conference on Security of Information and Networks (SIN
[10] Sokol P., Míšek J., Husák M. Honeypots and honeynets: issues of privacy. '15). ACM, New York, NY, USA, 2015, pp. 154-157. DOI:
EURASIP Journal on Information Security.2017, 1, Article 57 (December 10.1145/2799979.2800042.
2017), 9 pages. DOI: 10.1186/s13635-017-0057-4. [20] Borkar A., Salunke A., Barabde A., Karlekar N. P. Honeypot: a survey of
[11] Nawrocki M., Wahlisch M., Schmidt T., Keil C., Schonfelder J. A Survey technologies, tools and deployment. In Proceedings of the International
on Honeypot Software and Data Analysis. 2016. CoRR, abs/1608.06249. Conference & Workshop on Emerging Trends in Technology (ICWET
'11). ACM, New York, NY, USA, 2011, pp. 1357-1357. DOI:
[12] Olagunju A.O., Samu F. In Search of Effective Honeypot and Honeynet 10.1145/1980022.1980327.
Systems for Real-Time Intrusion Detection and Prevention. In
Proceedings of the 5th Annual Conference on Research in Information [21] Shmatova E. The Choice of Strategy for the Spurious Information System
Technology (RIIT '16). ACM, New York, NY, USA, 2016, pp. 41-46. on the Basis of the Game Theory Model. Voprosy kiberbezopasnosti
DOI: 10.1145/2978178.2978184. [Cybersecurity issues], 2015. No 5 (13). P. 36-40. DOI: 10.21681/2311-
3456-2015-5-36-40.
[13] Han W., Zhao Z., Doupé A., Ahn G. HoneyMix: Toward SDN-based
Intelligent Honeynet. In Proceedings of the 2016 ACM International [22] Liston T. LaBrea: «sticky» Honeypot and IDS. [Online]. Available:
Workshop on Security in Software Defined Networks & Network http://labrea.sourceforge.net/labrea-info.html.
Function Virtualization (SDN-NFV Security '16). ACM, New York, NY, [23] Liston T. «LaBrea». [Online]. Available:
USA, 2016, pp. 1-6. DOI: 10.1145/2876019.2876022. http://labrea.sourceforge.net/labrea.1.txt.
[14] Guarnizo J.D., Tambe A., Bhunia S.S., Ochoa M., Tippenhauer N.O., [24] Hopkins A. TARPIT-iptables TARPIT target. [Online]. Available: http:
Shabtai A., Elovici Y. SIPHON: Towards Scalable High-Interaction //www.netfilter.org/projects/patch-o-matic/pom-external.html.
Physical Honeypots. In Proceedings of the 3rd ACM Workshop on Cyber- [25] Alt. L. Degreaser git respository. 2014.
Physical System Security (CPSS '17). ACM, New York, NY, USA, 2017, https://github.com/lancealt/degreaser.
pp 57-68. DOI: 10.1145/3055186.3055192.
[26] Alt L., Beverly R., Dainotti A. Uncovering network tarpits with degreaser.
[15] Tiwari R. Jain A. Improving network security and design using In Proceedings of the 30th Annual Computer Security Applications
honeypots. In Proceedings of the CUBE International Information Conference (ACSAC '14). ACM, New York, NY, USA, 2014, pp. 156-
Technology Conference (CUBE '12). ACM, New York, NY, USA, 2012, 165. DOI: 10.1145/2664243.2664285.
pp. 847-852. DOI: 10.1145/2381716.2381875.
[16] Andrew D., Chi H. An empirical study of botnets on university networks
using low-interaction honeypots. In Proceedings of the 51st ACM
92
�