One of the most commonly used techniques by hackers is the DoS (Denial of Service) attack, wherein a server is swarmed by repeated requests by one or multiple hosts. This can bring down the server or substantially reduce its performance. It’s difficult to stop such an attack, but there are ways of reducing its effect by distributing the throng of requests over other resources. LaBrea helps you with this problem by confusing port scanners. It was initially used to stop the CodeRed worm from spreading, but gradually developed into a HoneyPot–a decoy mechanism that traps hackers by working as a false server to attract hackers to it.
Consider a scene where a hacker is using a port scanner to determine all machines on your network. If your network is unprotected, the port scanner will determine all servers on your network. The hacker will then spend time on these servers and attempt either a DoS attack or getting into the servers. However, if you’re using LaBrea, then the hacker will see more machines than there actually are. Also, the extra machines will appear vulnerable with lots of open ports. Since the hacker sees so many machines, he won’t be able to figure out which are the actual ones, and will end up wasting time attacking the virtual machines.
Snapshot | |
Applies to | Network administrators |
Usp | Better security by providing false targets |
Links | www.hackbusters.net/LaBrea.html labrea.sourceforge.net/ |
The virtual machines and generated by LaBrea every time it catches someone trying to find a free IP on your network. When a hacker sends a port scan (Ping/ACK/SYN) request to an IP, LaBrea detects it and presents that IP as live and responds to it. This also helps determine the IP address of the port scanner.
You can download LaBrea from ‘prdownloads. sourceforge.net/labrea/labrea-2.5-stable-1.tar.gz?download’, along with its dependency called libdnet from ‘dag.wieers.com/packages/libdnet/libdnet-1.7-0.dag.rh90.i386.rpm’. Before you actually use a HoneyPot, be sure to understand the legal implications behind implementing it, because it is not legal in some countries (refer to article Decoy Hackers page 77, February 2004 issue of
PCQuest).
For installation, you’ll first need to install the libdnet rpm by issuing the following command.
#rpm —-ivh libdnet-1.7-0.dag.rh90.i386.rpm
After that unzip and untar the Labrea tarball and run the following commands to install them.
#tar —zxvf labrea-2.5-stable-1.tar.gz
#cd labrea-2.5
#./configure
#make && make install
You can run Labrea by issuing the following command.
#labrea -O —v -z
Here —v stands for verbose, —z turns the nag-messages off as some LAN cards don’t support that, and —O sends the log information to stdout instead of sending to syslog. This command will set Labrea to respond to any Ping/SYN/ACK request that come continuously for more than three seconds. You can change this default value using the -r switch in the above command.
To test Labrea, go to any machine on your network and ping any free (not occupied by any machine) IP address. You will notice that you’ll get a message ‘Request Timed out’ for the first three seconds, but after that, you’ll start getting a response from that IP. On the console, you’ll see that Labrea has detected the IP of the machine from which the Ping request has come.
Now the results. We ran Nessus, and Nmap, on a free IP on the network. Nessus and Nmap both found a free machine on that IP. Nessus then found a security hole and 11 security warnings on it whereas Nmap results showed 1601 open ports and also listed the services. Actually, these machines don’t exist, LaBrea just created them.
Anindya Roy