"SticKy" Tarpits with LaBrea
While most honeypots are used to lure malicious agents so that they may be studied and their behavior analysed, some honeypots purpose is to hinder those agents. LaBrea is such a tool, used to slow down and even stop self propagating TCP based worms such as Code Red.
This image illustrates the spread of the Code Red worm through its lifetime.
The method of slowing down or trapping these worms is referred to as tarpitting. Worms are not the only malicious denizens that can be targeted, there are also frameworks that aim at crippling spammers and methods for creating active defenses against them such as generating real-time blackhole lists (RBL) which may be used by mail servers to drop incoming spam.
LaBrea makes use of two techniques to cripple the spread of some self propagating TCP based worms namely persistent capture and throttling. It does this by intercepting probes from the worms that are directed to unused IP addresses that LaBrea is monitoring and forcing those connections into undesirable states. When an external host attempts to send traffic to an unused IP address in our network a router will broadcast ARP queries to find the host that belongs to that IP, if no host replies the router will continue sending multiple ARP queries.
LaBrea takes note of multiple un-answered queries and will then respond to the router indicating that the IP address belongs to itself (thus taking over that IP address). Labrea then creates a virtual machine for that IP address and will continue to monitor all traffic destined for the MAC address it has given to the router.
It is important to note how Labrea consumes IP addresses on a network since incorrect configuration will result in LaBrea leasing all available addresses from a DHCP server which could starve a network.
When LaBrea receives a SYN packet it will setup the connection by completing the 3 way TCP handshake. Once the connection is made there are two ways that LaBrea could use to slow down or incapacitate that connection, the first of which is throttling.
Throttling allows LaBrea to slow down the transfer rate of traffic from the open connection, it does this by advertising a very small receiver window. The receiver window essentially instructs the sender to not send more data per packet than the window allows, while the connection is still operating and sending data, it will be doing so at a much reduced rate thus slowing down its probing attempts greatly.
The second method that LaBrea makes use of is that of persistent capture, with this method the LaBrea host is able to indefinitely hold the connection and thus tarpit the attacker. Persistent capture works by moving the TCP connection from an established state to a persist state, this is done by advertising a receiver window size of 0. Resulting in the attacker having to send periodic window probe packets to determine if the window has been opened again.
Both throttling and persistent capture incurs bandwidth usage on the LaBrea host, even though the traffic is minimal, there might still be a need to control its bandwidth usage. Luckily LaBrea allows for this and users may set a predetermined limit on the bandwidth usage of the LaBrea host. Some of the options that may be set include:
- Throttle size of the receiver window. t (-throttle-size)
- Data rate to prevent over use of bandwidth. p (-max-rate)
- ARP request timeout, used to determine if address is un-used. r (-arp -timeout)
The LaBrea configuration file may also be edited to exclude IP addresses or ranges of IP addresses that LaBrea should not lease from the DHCP server.The configuration file also allows LaBrea to ignore pre-defined ports (such as 0-20).