uncovering network tarpits with degreaser

Uncovering Network Tarpits with Degreaser Lance Alt , Robert Beverly - PowerPoint PPT Presentation

Dec 26, 2022 •474 likes •842 views

Uncovering Network Tarpits with Degreaser Lance Alt , Robert Beverly , Alberto Dainotti Naval Postgraduate School Center for Measurement and Analysis of Network Data Computer Science Dept. UCSD/CAIDA December 11, 2014 Annual

  1. Uncovering Network Tarpits with Degreaser Lance Alt ∗ , Robert Beverly ∗ , Alberto Dainotti † ∗ Naval Postgraduate School Center for Measurement and Analysis of Network Data Computer Science Dept. † UCSD/CAIDA December 11, 2014 Annual Computer Security Applications Conference 2014 L. Alt et al. (NPS) Degreaser ACSAC 2014 1 / 28

  2. Background Background Network Deception A popular form of network defense is cyber deception Idea: confuse and influence adversary, collect attack data E.g., honeypots, sinkholes, tarpits Our Work Can we detect tarpits? Motivation An adversary able to recognize deception (tarpit) will avoid it Understanding weaknesses of existing tarpits helps improve them (better deception) Understand the extent to which network measurement tools and surveys are influenced by tarpits in the wild L. Alt et al. (NPS) Degreaser ACSAC 2014 2 / 28

  3. Background Background Network Deception A popular form of network defense is cyber deception Idea: confuse and influence adversary, collect attack data E.g., honeypots, sinkholes, tarpits Our Work Can we detect tarpits? Motivation An adversary able to recognize deception (tarpit) will avoid it Understanding weaknesses of existing tarpits helps improve them (better deception) Understand the extent to which network measurement tools and surveys are influenced by tarpits in the wild L. Alt et al. (NPS) Degreaser ACSAC 2014 2 / 28

  4. Background Background Network Deception A popular form of network defense is cyber deception Idea: confuse and influence adversary, collect attack data E.g., honeypots, sinkholes, tarpits Our Work Can we detect tarpits? Motivation An adversary able to recognize deception (tarpit) will avoid it Understanding weaknesses of existing tarpits helps improve them (better deception) Understand the extent to which network measurement tools and surveys are influenced by tarpits in the wild L. Alt et al. (NPS) Degreaser ACSAC 2014 2 / 28

  5. Background The Target: Tarpits Network Tarpits Attempts to slow (or stop) various forms of network scanning General Idea: A single machine pretends to be all unused hosts on a subnetwork Answers for all requests to those fake hosts Holds the TCP connection by setting TCP window to zero... And never letting go ... Two well-known applications: LaBrea Linux Netfilter (via TARPIT plugin) L. Alt et al. (NPS) Degreaser ACSAC 2014 3 / 28

  6. Background LaBrea in Detail LaBrea Layer-2 Capture Two modes of operation: ARP-timeout – actively captures unused addresses (default) Hard capture – only listens on specific addresses LaBrea promiscuously listens for ARP requests If no answer to (multiple) requests, LaBrea assumes IP not in use... And claims to be that IP (always with same MAC) Example: 10.1.10.102 is a real host attempting to connect to (non-existent) host 10.1.10.210 : 06:20:44.848758 ARP, Request who-has 10.1.10.210 tell 10.1.10.102, length 46 06:20:45.953257 ARP, Request who-has 10.1.10.210 tell 10.1.10.102, length 46 06:20:46.962535 ARP, Request who-has 10.1.10.210 tell 10.1.10.102, length 46 06:20:47.970023 ARP, Request who-has 10.1.10.210 tell 10.1.10.102, length 46 06:20:47.970130 ARP, Reply 10.1.10.210 is-at 00:00:0f:ff:ff:ff, length 28 L. Alt et al. (NPS) Degreaser ACSAC 2014 4 / 28

  7. Background LaBrea in Detail LaBrea Layer-2 Capture Two modes of operation: ARP-timeout – actively captures unused addresses (default) Hard capture – only listens on specific addresses LaBrea promiscuously listens for ARP requests If no answer to (multiple) requests, LaBrea assumes IP not in use... And claims to be that IP (always with same MAC) Example: 10.1.10.102 is a real host attempting to connect to (non-existent) host 10.1.10.210 : 06:20:44.848758 ARP, Request who-has 10.1.10.210 tell 10.1.10.102, length 46 06:20:45.953257 ARP, Request who-has 10.1.10.210 tell 10.1.10.102, length 46 06:20:46.962535 ARP, Request who-has 10.1.10.210 tell 10.1.10.102, length 46 06:20:47.970023 ARP, Request who-has 10.1.10.210 tell 10.1.10.102, length 46 06:20:47.970130 ARP, Reply 10.1.10.210 is-at 00:00:0f:ff:ff:ff, length 28 L. Alt et al. (NPS) Degreaser ACSAC 2014 4 / 28

  8. Background LaBrea LaBrea ICMP Response After layer-2 capture, LaBrea responds to TCP and ICMP Example ping from 10.1.10.102 to 10.1.10.205 : 06:20:31.501417 ARP, Request who-has 10.1.10.205 tell 10.1.10.102, length 46 06:20:33.501954 ARP, Request who-has 10.1.10.205 tell 10.1.10.102, length 46 06:20:34.503146 ARP, Request who-has 10.1.10.205 tell 10.1.10.102, length 46 06:20:34.503257 ARP, Reply 10.1.10.205 is-at 00:00:0f:ff:ff:ff, length 28 06:20:34.504452 IP 10.1.10.102 > 10.1.10.205: ICMP echo request, id 61467, seq 3, length 64 06:20:34.504536 IP 10.1.10.205 > 10.1.10.102: ICMP echo reply, id 61467, seq 3, length 64 L. Alt et al. (NPS) Degreaser ACSAC 2014 5 / 28

  9. Background LaBrea LaBrea ICMP Response After layer-2 capture, LaBrea responds to TCP and ICMP Example ping from 10.1.10.102 to 10.1.10.205 : 06:20:31.501417 ARP, Request who-has 10.1.10.205 tell 10.1.10.102, length 46 06:20:33.501954 ARP, Request who-has 10.1.10.205 tell 10.1.10.102, length 46 06:20:34.503146 ARP, Request who-has 10.1.10.205 tell 10.1.10.102, length 46 06:20:34.503257 ARP, Reply 10.1.10.205 is-at 00:00:0f:ff:ff:ff, length 28 06:20:34.504452 IP 10.1.10.102 > 10.1.10.205: ICMP echo request, id 61467, seq 3, length 64 06:20:34.504536 IP 10.1.10.205 > 10.1.10.102: ICMP echo reply, id 61467, seq 3, length 64 L. Alt et al. (NPS) Degreaser ACSAC 2014 5 / 28

  10. Background LaBrea LaBrea TCP Response LaBrea also responds to TCP connection attempts to any TCP port TCP SYN/ACK has an advertised window of 10 (or 3), and no TCP options Two modes of operation: Persistent: always respond with 0 window Non-Persistent: ignore all future traffic Example HTTP from 10.1.10.102 to 10.1.10.210 : 06:20:47.971276 IP 10.1.10.102.51161 > 10.1.10.210.http: Flags [S], seq 3536100821, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 1194569089 ecr 0,sackOK,eol], length 0 06:20:47.971475 IP 10.1.10.210.http > 10.1.10.102.51161: Flags [S.], seq 1457023515, ack 3536100822, win 10, length 0 L. Alt et al. (NPS) Degreaser ACSAC 2014 6 / 28

  11. Background LaBrea LaBrea TCP Response LaBrea also responds to TCP connection attempts to any TCP port TCP SYN/ACK has an advertised window of 10 (or 3), and no TCP options Two modes of operation: Persistent: always respond with 0 window Non-Persistent: ignore all future traffic Example HTTP from 10.1.10.102 to 10.1.10.210 : 06:20:47.971276 IP 10.1.10.102.51161 > 10.1.10.210.http: Flags [S], seq 3536100821, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 1194569089 ecr 0,sackOK,eol], length 0 06:20:47.971475 IP 10.1.10.210.http > 10.1.10.102.51161: Flags [S.], seq 1457023515, ack 3536100822, win 10, length 0 L. Alt et al. (NPS) Degreaser ACSAC 2014 6 / 28

  12. Degreaser Discriminating Characteristics Experiments In the lab (where things worked great) Set up LaBrea tarpit on /29 within Comcast (where we learned a lot) Real Hosts Planetlab Internet /29 Subnet LaBrea L. Alt et al. (NPS) Degreaser ACSAC 2014 7 / 28

  13. Degreaser Discriminating Characteristics What Doesn’t Work: Subnet Occupancy Can we find tarpit by locating fully occupied subnetworks? No. High-occupancy subnets are often content providers (CDNs, hosting services) However, we examine the relationship between Project Sonar ( scans.io ) counts of half-responding hosts and our inferred fake subnets. L. Alt et al. (NPS) Degreaser ACSAC 2014 8 / 28

  14. Degreaser Discriminating Characteristics What Doesn’t Work: Response Time Does LaBrea respond faster or slower than a real host? LaBrea is much slower to respond in ARP-timeout mode Unreliable due to ARP caching No distinguishable difference when 700 not running in ARP-timeout mode 600 500 Latency (msec) 400 300 200 100 2 3 1 4 4 4 4 4 4 4 4 4 2 3 4 3 4 1 3 4 3 2 4 3 0 4 4 4 2 3 2 4 4 2 4 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 a / b / c / / / / / / i / / / l / m / n / / p / / r / s / / u / / / / / / / B / C / D / E / F / / H / I / d e f g h j k o q t v w x y z A G Subnetwork L. Alt et al. (NPS) Degreaser ACSAC 2014 9 / 28

  15. Degreaser Discriminating Characteristics What Doesn’t Work: Port Scanning What about looking for hosts listening on all TCP ports? Search space too big! 2 32 × 2 16 scans We could search for hosts with more than X listening ports... This still requires multiple scans per host And won’t detect single-port tarpits (e.g. iptables) However it’s easier than that! L. Alt et al. (NPS) Degreaser ACSAC 2014 10 / 28

  16. Degreaser Discriminating Characteristics What Doesn’t Work: Port Scanning What about looking for hosts listening on all TCP ports? Search space too big! 2 32 × 2 16 scans We could search for hosts with more than X listening ports... This still requires multiple scans per host And won’t detect single-port tarpits (e.g. iptables) However it’s easier than that! L. Alt et al. (NPS) Degreaser ACSAC 2014 10 / 28

  17. Degreaser Discriminating Characteristics What Does Work We can efficiently detect tarpit IPs using: TCP Window Size TCP Options Key Advantages Only one TCP connection per target Requires sending only 2-6 packets per target Not susceptible to network noise (e.g. response latency) L. Alt et al. (NPS) Degreaser ACSAC 2014 11 / 28

Recommend

Cleaners / Degreasers UB10 Degreaser 1 For use via Ultra Blend & Ultra Dose.

Cleaners / Degreasers UB10 Degreaser 1 For use via Ultra Blend & Ultra Dose.

Cleaners / Degreasers UB10 Degreaser 1 For use via Ultra Blend & Ultra Dose. Effective against a wide range of soilages. Ideal for use on safety floorings. Super concentrated low cost in use. Sanitisers Trio 100

501 views • 14 slides
Indian Rural Panel Uncovering the Farmers Mindset By Exclusive Indian Research partner

Indian Rural Panel Uncovering the Farmers Mindset By Exclusive Indian Research partner

Indian Rural Panel Uncovering the Farmers Mindset By Exclusive Indian Research partner with IRIS Date : 23 rd September, 2017 Indian Rural Panel Uncovering Farmers Mindset_777_520 1 Content Overview of Indian agriculture and

268 views • 24 slides
Uncovering Interactions Between Moving Objects Gennady Andrienko & Natalia Andrienko

Uncovering Interactions Between Moving Objects Gennady Andrienko & Natalia Andrienko

Uncovering Interactions Between Moving Objects Gennady Andrienko & Natalia Andrienko http://geoanalytics.net Monica Wachowicz & Daniel Orellana Uncovering Interactions between Moving Objects Research Topic Research focus: interactions (

376 views • 26 slides
Uncovering Functions Through Multi-Layer Tissue Networks Marinka Zitnik marinka@cs.stanford.edu

Uncovering Functions Through Multi-Layer Tissue Networks Marinka Zitnik marinka@cs.stanford.edu

Uncovering Functions Through Multi-Layer Tissue Networks Marinka Zitnik marinka@cs.stanford.edu Joint work with Jure Leskovec Network biomedicine Networks are a general language for describing and modeling biological systems, their

867 views • 42 slides
DNA Interaction Follow Network Network User-Product Network Nonuniform network comm costs

DNA Interaction Follow Network Network User-Product Network Nonuniform network comm costs

Social Network Social Network Web Network DNA Interaction Follow Network Network User-Product Network Nonuniform network comm costs Nonuniform comp requirement Contentiousness of the memory Nonuniform comm requirement

861 views • 50 slides
Uncovering the wealth of grapevine genetic diversity through whole genome sequencing and assembly

Uncovering the wealth of grapevine genetic diversity through whole genome sequencing and assembly

Uncovering the wealth of grapevine genetic diversity through whole genome sequencing and assembly Dario Cant Associate Professor and Louis P. Martini Endowed Chair Grape Genomics Outline 1. Why do we need more genome references? 2. What do

651 views • 38 slides
THE STAVELY PROJECT UNCOVERing mineral potential in western Victoria UNCLASSIFIED Speaker's

THE STAVELY PROJECT UNCOVERing mineral potential in western Victoria UNCLASSIFIED Speaker's

Speaker's notes UNCLASSIFIED THE STAVELY PROJECT UNCOVERing mineral potential in western Victoria UNCLASSIFIED Speaker's notes UNCLASSIFIED CONTRIBUTORS AND COLLABORATION Geological Survey of Victoria Ross Cayley, David Taylor, Phil

555 views • 34 slides
Vaping and Disease Risks: Uncovering the Connections Cynthia Grondin, PhD Comparative

Vaping and Disease Risks: Uncovering the Connections Cynthia Grondin, PhD Comparative

Vaping and Disease Risks: Uncovering the Connections Cynthia Grondin, PhD Comparative Toxicogenomics Database North Carolina State University Introduce Vaping Devices What Chemicals are Involved? Comparative Toxicogenomics Database

384 views • 27 slides
Uncovering News-Twitter Reciprocity via Interaction Patterns Yue Ning 1 Sathappan Muthiah 1 Ravi

Uncovering News-Twitter Reciprocity via Interaction Patterns Yue Ning 1 Sathappan Muthiah 1 Ravi

Uncovering News-Twitter Reciprocity via Interaction Patterns Yue Ning 1 Sathappan Muthiah 1 Ravi Tandon 2 Naren Ramakrishnan 1 1 Discovery Analytics Center, Department of Computer Science, Virginia Tech 2 Now with Department of Electrical and

644 views • 48 slides
Uncovering Teachers Goals, LeveragingMOSTs.org Orientations and Resources Related to the

Uncovering Teachers Goals, LeveragingMOSTs.org Orientations and Resources Related to the

Uncovering Teachers Goals, LeveragingMOSTs.org Orientations and Resources Related to the Practice of Using Student Thinking Shari L. Stockero Michigan Technological University Laura R. Van Zoest Western Michigan University Annick

137 views • 13 slides
Digging Deeper: Uncovering the Hidden Potential of Historical State and Local Records The ABA

Digging Deeper: Uncovering the Hidden Potential of Historical State and Local Records The ABA

History Associates Technical Roundtable Digging Deeper: Uncovering the Hidden Potential of Historical State and Local Records The ABA Section of Environment, Energy, and Resources 40 th Annual Conference on Environmental Law March 17, 2011

586 views • 20 slides
Uncovering Mental Models to Inform Mobile Information Architecture: The Use of Repeated Cluster

Uncovering Mental Models to Inform Mobile Information Architecture: The Use of Repeated Cluster

Uncovering Mental Models to Inform Mobile Information Architecture: The Use of Repeated Cluster Analyses on Card Sort Data Noah J Wheeler Texas Tech University Cluster Background Data Collection Conclusions Analysis Cluster Background

425 views • 14 slides
Uncovering the hidden universe of rental units in Surrey UBC Data Science for Social Good 2018

Uncovering the hidden universe of rental units in Surrey UBC Data Science for Social Good 2018

Uncovering the hidden universe of rental units in Surrey UBC Data Science for Social Good 2018 By: Jocelyn Lee, Andy Fink, Hyeongcheol Park, Zhe Jiang Overview Introduction Data Sources and Collection Data Processing

438 views • 21 slides
FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild Zhenhua Li Weiwei Wang Chen Qian

FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild Zhenhua Li Weiwei Wang Chen Qian

Feb. 26 Mar. 1 FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild Zhenhua Li Weiwei Wang Chen Qian Christo Wilson Jian Chen Yunhao Liu Taeho Jung Lan Zhang Kebin Liu Xiangyang Li lizhenhua1983@gmail.com

1.26k views • 47 slides
Measuring code coverage Uncovering the Atlassian Clover engine About me Marek Parfianowicz

Measuring code coverage Uncovering the Atlassian Clover engine About me Marek Parfianowicz

Measuring code coverage Uncovering the Atlassian Clover engine About me Marek Parfianowicz Support Engineer and Software Developer at Spartez (since 2012) Senior Software Engineer at Lufthansa Systems (2004-2012) Technical

495 views • 38 slides
Automatic Uncovering of Tap Points From Kernel Executions Junyuan Zeng, Yangchun Fu, and Zhiqiang

Automatic Uncovering of Tap Points From Kernel Executions Junyuan Zeng, Yangchun Fu, and Zhiqiang

Automatic Uncovering of Tap Points From Kernel Executions Junyuan Zeng, Yangchun Fu, and Zhiqiang Lin University of Texas at Dallas RAID 2016 Introduction A UTO T AP Design Experimental Results Discussions & Related Work Summary &

694 views • 58 slides
IP Network Stack in Ada 2012 and the Ravenscar Profile Stphane Carrez Ada Europe 2017 Ada

IP Network Stack in Ada 2012 and the Ravenscar Profile Stphane Carrez Ada Europe 2017 Ada

IP Network Stack in Ada 2012 and the Ravenscar Profile Stphane Carrez Ada Europe 2017 Ada Embedded Network Stack Project Presentation Implementation Details EtherScope use case Difficulties and solutions with Ravenscar profile

227 views • 21 slides
Understanding the Risks in Alternative Risk Premia IAPF Breakfast Briefing January 2019

Understanding the Risks in Alternative Risk Premia IAPF Breakfast Briefing January 2019

Understanding the Risks in Alternative Risk Premia IAPF Breakfast Briefing January 2019 Amsterdam | Chicago | London | Montral | Munich | Paris | Sydney | Toronto bfinance.com This report is solely for the use of client personnel. No part of

274 views • 23 slides
Welcome BYOx 2018 @ BPSSC What is BYOx BYOx (Bring Your Own Device) Students bring their

Welcome BYOx 2018 @ BPSSC What is BYOx BYOx (Bring Your Own Device) Students bring their

Welcome BYOx 2018 @ BPSSC What is BYOx BYOx (Bring Your Own Device) Students bring their personal device from home to access our EQ network We are offering BYOx to all students in 2018 Our Network Safe Filtered Internet

749 views • 13 slides
Victor Ivanovich Petrik Full Member, Academician of Russian Academy of natural sciences, Russian

Victor Ivanovich Petrik Full Member, Academician of Russian Academy of natural sciences, Russian

Victor Ivanovich Petrik Full Member, Academician of Russian Academy of natural sciences, Russian technological academy, Petrovskaya academy of sciences and arts, International academy of sciences, ecology and nature, Honoured member of European

477 views • 44 slides
Bruce Springsteen and the Nick Braae Wave Model of Waikato Institute of Technology Development

Bruce Springsteen and the Nick Braae Wave Model of Waikato Institute of Technology Development

The 11th Art of Record Production Conference Aalborg, Denmark 2-4 December 2016 Bruce Springsteen and the Nick Braae Wave Model of Waikato Institute of Technology Development Hamilton, New Zealand Springsteen, Criticism, and the Discourse

320 views • 16 slides
2020 MSBA Accelerated Repair Program Presentation to Boston School Committee January 29, 2020

2020 MSBA Accelerated Repair Program Presentation to Boston School Committee January 29, 2020

2020 MSBA Accelerated Repair Program Presentation to Boston School Committee January 29, 2020 BOSTON PUBLIC SCHOOLS Massachusetts School Building Authority Programs Core Program Projects covering extensive repairs, renovations,

138 views • 10 slides
2019 MSBA Accelerated Repair Program Brian McLaughlin, Chief of Staff, Public Facilities Dept.

2019 MSBA Accelerated Repair Program Brian McLaughlin, Chief of Staff, Public Facilities Dept.

2019 MSBA Accelerated Repair Program Brian McLaughlin, Chief of Staff, Public Facilities Dept. John Hanlon, Chief Operating Officer, BPS Presentation to Boston School Committee January 16, 2019 BOSTON PUBLIC SCHOOLS Massachusetts School

369 views • 11 slides
Trend-Following CTAs vs Alternative Risk Premia (ARP): Crisis beta vs risk-premia alpha Artur

Trend-Following CTAs vs Alternative Risk Premia (ARP): Crisis beta vs risk-premia alpha Artur

14 th EDITION Trend-Following CTAs vs Alternative Risk Premia (ARP): Crisis beta vs risk-premia alpha Artur Sepp Quantica Capital AG Content 14 th EDITION Why most quants underperformed in 2018 How trend-following works

631 views • 12 slides

More recommend