Welcome to My Tarpit

Welcome to My Tarpit
The Tactical and Strategic Use of LaBrea


Introduction
------------

LaBrea is a small Linux-based application that puts unused IP
addresses on your network to use, creating a "tarpit" which can stop
or slow down scans of your address space. This paper details the
technical aspects of how LaBrea works as well as the tactical
advantages of deploying LaBrea on your network.

Background - Creating Virtual Machines
--------------------------------------

LaBrea works as a low-level network application that creates "virtual
machines" on your network - machines that don't really exist yet are
able to answer connection attempts in a special way that slows and
even stops the connecting process.

Local communication between machines on a LAN (local area network) is
done using MAC (machine access code) addresses, not with IP addresses.
These MAC addresses are 48 bits in length, as opposed to the 32 bits
of an IP address.

External attempts to access machines in the LAN are done using IP
addresses and will go through the local router. The local router's
job is to figure out which MAC corresponds to which IP. The router
does this by broadcasting a special request asking "who owns" the IP
in question. If any machine "owns" the IP it will respond with its MAC
address to the router. This request and response is known as the
Address Resolution Protocol or "ARP."

The tenacious quality of the ARP protocol used in these router
requests is what makes LaBrea possible: If at first the router does
not find a machine with the IP in question, it will ask again - and
again.

LaBrea monitors these ARP requests and replies that are needed to
connect external traffic with the local area network. If it notes
several successive ARP requests without intervening ARP replies LaBrea
will issue an ARP reply, effectively creating a virtual machine.

Making Virtual Machines Real
----------------------------
Once the virtual machine has been created, LaBrea will monitor all
traffic destined for the MAC address it has given to the router, and
will thereafter respond to inbound TCP/IP packets in a way that can
tie up the connecting machines for long periods of time. Most modern
TCP/IP implementations are very tenacious about holding onto
established connections. LaBrea sends enough of a response to hold the
connection open, but no more - the connecting machine is left hanging,
waiting.

Tarpitting
----------
The connecting machine's TCP/IP implementation will ordinarily not
give up easily, but will continue to attempt to use what it regards as
an established connection over and over until it finally times out.
The timeout value will of course vary from implementation to
implementation, but it will always be several orders of magnitude
longer than for a failed connection attempt. This is the "tarpit" that
LaBrea uses to catch worms and scanners.

Connection Trapping
-------------------
LaBrea can also trap and hold connection attempts. By moving a
connection from the established state to the persist state, LaBrea can
literally hold connections open for an indefinite period of time, so
that only a process reset at the other end will end it. Communicating
in this manner is done economically despite the potentially wide
bandwidth involved; also, the bandwidth usage itself is configurable.

Impersonation
-------------
To effectively trick more advanced scanning tools into believing
virtual machines are real, LaBrea offers standard responses to a
number of typical network probes such as echo requests and SYN/ACK
scans.

No Collateral Damage
--------------------
All connection attempts aimed at LaBrea virtual machines can be
considered suspect in nature as these machines do not really exist nor
do they, for example, have any entries in the Domain Name System.

Tactical Use
------------
Monitoring connection activities can give the network operations
center a good view of the extent and nature of any reconnaissance
taking place: Is a broad range of addresses being targeted, or do you
have a focused intrusion attempt?

LaBrea also makes an excellent adjunct to other early warning systems.
Correlating intrusion detection system warnings with LaBrea virtual
machine access records helps you immediately gauge the severity of an
intrusion attempt.

An intrusion attempt aimed solely at real machines should of course be
put at a higher priority than a simple cross-network scan.

The virtual machines appear to have ALL ports open, and thus they may
alert the network operator to activity that might be missed by other,
rule-based systems.

LaBrea can catch insiders on the intranet "in the act" while requiring
far less maintenance than conventional intrusion detection systems.

Strategic Benefits
------------------
LaBrea has the capability to capture and hold scanners - something
that is of vital importance to the overall health of the Internet.

At its peak, the Code Red worm infected approximately 300,000 servers,
yet a quick "back of the envelope" calculation (note 5) indicates that
1000 sites connected to T1 lines and dedicating only 5% of their total
bandwidth to LaBrea's "-p" option would have been able to capture and
hold all Code Red scanning threads at once.

And by capturing these scanning threads, LaBrea makes it possible to
contact compromised system owners while keeping their systems from
compromising other systems.

Because LaBrea answers SYN/ACK packets with an RST, fully deploying
LaBrea on all unused IP addresses makes your net block unusable for
"IP address spoofing" attacks.

Widespread use of LeBrea is a deterrent against malicious activity,
making the creation of worms far less interesting and common hacker
activities much more dangerous. The first of its kind, LaBrea is an
effective and a very clever anti-hacking tool that should become a
part of the standard toolkit of any professional network operation.

Finally, it's fun. Heaps of fun. You can walk into work in the morning
and look at your logs and think "I am actually doing something to make
the Internet a safer place."

Availability
------------
LaBrea is distributed as source code under the GNU General Public
License. You may use the source code as you see fit. HackBusters asks
that you inform them of any improvements that you may make to the
source code so that they can be incorporated into the public release
of the code.

The latest version of LaBrea can always be found at:
http://www.hackbusters.net


License
-------
LaBrea is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version.

LaBrea is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
for more details.


Notes
-----
1. LaBrea has also been successfully compiled on NetBSD.

2. LaBrea has a command line switch that enables it to work under a
"switched" environment. In a switched environment, LaBrea will see
ARP requests but might not see the resulting ARP replies. If the
command line switch "-s" is used, LaBrea will issue a "mirror" ARP
request for every request that it sees, listing itself as the
destination for the answer, making it safe to use in a switched
environment.

3. LaBrea ACKs the first inbound data packet with a WIN 0 and responds
to all following WIN probes with a WIN 0, causing the connecting
machine to hang in the "persist" state. A single inbound connection
from an NT based machine will require 1215 bytes/hour (2.7 bps) to
maintain in the persist state.

4. Inbound SYN/ACKs receive a RST and yes, you can really PING LaBrea
virtual machines.

5. LaBrea requires approximately 8 bps to hold 3 threads of Code Red.
If there were 300,000 infected machines each with 100 scanning
threads, then LaBrea would require approximately 80,000,000 bps to
hold them all. Dividing this among 1,000 sites would require 80,000
bps from each site. A T1 line runs at 1,544,000 bps; thus it would
require a commitment of 5.2% of the full T1 bandwidth at each site.


hosted by : a lonely israeli mossad agent .