deceptive defense - wear down the attackers and all their port scanners and so forth
Copyright (c), 1998, Fred Cohen - All Right Reserved
NOTICE: By taking this copy, you agree that all updates and modifications will be reported back to us, that you will only use it to defend systems and not to figure out how to attack them, that we retain all right to the software provided to you and any revisions, enhancements, or derivitive works that may result from it, that you will retain all copyright notices on all copies you distribute elsewhere, and that anyone you give it to will also agree to these terms.
Configuring, installing, and otherwise setting up DTK is described in the download.html file that comes with DTK.
dtk - Deception TooKit
Level 1:
At the outer edges, place sterile male bees to catch the honey hunters
A program on every port that:
emulates the legitimate service without providing it
is secure against attacks including denial
gives the appearance of success for a little while
provides indications and warnings information and logs attempts
Example: tftp
responds to get /etc/passwd with a fake password
file - when decrypted via Crack, either yields
complex passwords that don't work - OR
passwords that tell the attacker they have been had
sends details of all attack attempts to a log file
alerts system/network admins to activities
Example: sendmail
responds to all known sendmail attacks by imitating the
fault while actually providing no such service. The
users uses POP to get things from a remote server.
sends details of all access attempts to a log file
alerts system/network admins to activities
Level 2:
Within the system, every repaired flaw generates a detection routing which
also cuts off the attacker (or places them in a chroot environment)
Example: buffer overrun protected by a wrapper - if the
wrapper input size limit is exceeded, it generates a
log of the attempt and puts the user into a chroot
play world from now until they talk to the admin
alert admins to attempt
Level 3: Within a business function, reports cross between related
computers at high(er) frequency that unrelated systems and response
reflects the current threat environment.
RESTPONSE FILES file names:
23.response to respond to telnet
nnn.response to respond to port nnn
formats for response files:
tab separated fields as follows:
- Comments
# anything in a line starting with a # is a comment
- Orders
! variable value comments sets $variable=value in program for timeout, maxloops, debug
State machine:
# anything is ignored as a comment
State ! Nextstate Continue Operation Stimulus Response Match STIMULUS -> response
State !O Nextstate Continue Operation Response Match One Time Password -> response
State !A Nextstate Continue Operation Response Match Algorithmic Identification -> response
State M!patternmatch! Nextstate Continue Operation Response Match patternmatch -> response
State /patternmatch/ Nextstate Continue Operation Response Match patternmatch -> response
State word Nextstate Continue Operation Response Match first word -> response
State Input NexStat Continue Operation Response
State: name of state (I use 0, 1, etc. but strings are allowed. Always start at 0
Input: all lower case EXCEPT for START, ERROR, NIL, NOTICE, and ! which are special cases
Next State: name of the state to go to after doing this output
Continue: 0 for exit - 1 for remain operating
Operation: default = print the response with no trailing <crlf>,
1 = print the response and adds a <crlf>,
cat = output from the file specified in the response field
-echo = echo response and turn off echo
+echo = echo <CRLF>response and turn on echo
@ = start new response profile from next field
exec = exec a process (login for example)
infocon = List the Infocon states and times
special = special coding for altered states
for example, special in.telnetd allow allows telnet from the current IP
for example, special in.telnetd deny denies telnet from the current IP
for example, special all deny denies all from the current IP
Response: the output
Exceptions: State NOTICE program-name arguments
runs program-name with arguments to notify administrators of events
unlike everything else, this is done upon entry into state - before input
State ! NexStat Exit lf/file match-for action
if match-for appears anywhere in the input line, do the rest
State /reg-exp/ NexStat Exit lf/file action
if the reg-exp regular expression matches anything in this liput, trigger
A mild example comes from a fake port 25 program:
# State Input NexStat Exit lf/file output/filename comment lines start with the pound sign () # we are faking sendmail version 8.1.2/8.1.3
! timeout 30 # 30 second timeout per command ! maxloops 15 # 15 commands at most 0 START 0 1 1 220 all.net ESMTP Sendmail 8.1.2/8.1.3; 0 ERROR 0 1 1 500 Command unrecognized - please say "Helo" 0 help 0 1 1 214-No help available # if they say helo, we acknowledge and go to state 2 0 helo 1 1 1 250 all.net, pleased to meet you 0 quit 0 0 1 221 all.net closing connection # if you don't get anything - just ignore it and wait 0 nil 0 1 0
# we got a Helo request
# it contained something with /etc/passwd in it - let's simulate a big hole
1 ! 4 1 cat /etc/passwd @fake.passwd
# this regular expression matched something in the input line - let's simulate a big hole
1 /cat\spasswd/ 4 1 2 @fake.passwd 1 mail 2 1 1 250 proceed 1 rcpt 1 1 1 500 Must say "HELO" first 1 help 1 1 1 214-No help available 1 quit 1 0 1 221 all.net closing connection 1 nil 1 1 0 1 ERROR 1 0 1 500 Server Configuration Error - all.net closing connection # even a rcpt - this guy's good!!! 2 rcpt 3 1 1 250 proceed end with a '.' 2 help 2 1 1 214-No help available. 2 quit 2 0 1 221 all.net closing connection 2 nil 2 1 0 2 ERROR 2 0 1 500 Server Configuration Error - all.net closing connection # getting mail - what do I do?!?!? 3 nil 1 1 1 500 Mailbox full - please start again 3 ERROR 3 0 0 500 Server Configuration Error - all.net closing connection # I sent them a password file - better notify the authorities 4 NOTICE /dtk/notify.pl Email fc@all.net Just sent a password file to an attacker - sendmail exploit 4 NIL 0 1 1 214-Unknown configuration error 4 ERROR 0 0 0 500 Server Configuration Error - all.net closing connection
HOSTSERV FILE
The HostServ file specifies actions associated with ports for IP addresses in a similar way to how TCP-wrappers operates.
HostServ file format:
Service Host-Spec Action
Service:= Port number of the affected service[s]
specified as a series of comma-separated reular expressions
regex,regex,regex,...
Host-Spec:=IP address(es) of the affected host[s]
specified as a series of comma-separated reular expressions
regex,regex,regex,...
Action:=What to do if this case occurs to wit:
DTK run default DTK service for port (nnn.response)
/etc/in.telnetd run /etc/in.telnetd (anything starting with '/')
nnn.response run DTK responder for port nnn
Comment lines start with ''
The following line is appended to whatever file you provide:
. . DTK
which implements DTK on all ports for all IP addresses
An example may be helpful:
# This is a sample HostServ file for DTK
#Service Host-Spec Action
# incoming email from 1.2.3. EXCEPT 1.2.3.4 runs sendmail - others get deception
# 4.3.2.2 gets telnet deception on incoming email port (a bit strange)
25 1.2.3.4 DTK
25 1.2.3.
/var/adm/sendmail
25 4.3.2.2 23.response
25 .* DTK
# allow 1.2.3.4 and 4.3.2.1 to use telnet, others get deception
23 1.2.3.4 /var/bin/in.telnetd -s 23 4.3.2.1 /var/bin/in.telnetd -s 23 .* DTK
# all previously unspecified services from 1.2.3.4 or 101.202.303.404 run /dtk/deception
. 101.202.303.404 /dtk/deception . 1.2.3.4 /dtk/deception
The HostServ file is loaded at the startup of each deception port's daemon. This means that if you change the HostServ file you need to restart the daemon for any affected ports before those changes will take effect on those ports. In implementation, the HostServ file is read once at startup, lines not relating to the port this daemon is running are thrown out, and aech time an incoming port causes a process to be forked, the HostServ table is checked sequentially to decide what to do.