'Decoy nets' gain backers in battle against hackers

As hackers obtain ever more dangerous and easy-to-use tools, they are being countered by novel defense strategies. Witness the experimental idea of setting up a decoy network separate from your real one to fool intruders as they try to fool you.

This so-called "deception" network is envisioned as more than just a single server set up to be a "honeypot," where hackers may break in, find a dead end and have their activities recorded with an eye toward prosecution. Rather, the decoy net is an entire fake network, complete with host computers on a LAN (local area network) with simulated traffic, to convince hackers for as long as possible that it's real.

Experts debate whether such nets will be worth the effort, but agree they can be a way to slow hackers long enough to sort the curious from the truly destructive.

A group calling itself The Honeynet Project has quietly begun testing decoy networks on the Internet and soon plans to publish a paper on how to build one.

According to Ed Skoudis, chief security strategist at Predictive Systems, the idea is the brainchild of Sun security consultant Lance Spitzner. "We set up honeypots to watch hacker activity," says Skoudis, who participates in the invitation-only group and spoke about new hacker tools and defenses at last week's InfoSec show.

The Honeynet Project is not intended to prosecute intruders who haplessly wander into their elaborate decoys, but to study hacker responses in depth in order to devise the best decoy defenses. There are only a few commercial honeypot-style products on the market, including Network Associates' CyberCop Sting and Recourse Technologies' ManTrap.

Other decoy networks do slow intruders with an eye toward collecting evidence to prosecute them, says Rusty Miller, an executive at Veridian Information Systems.

"To collect evidence, you need to divert the hacker to a deception network," says Miller, who claims to have built deception networks for secretive government agencies. He says the idea is to feed back information about what hackers do to a kind of "deception central" for network administrators. "The time the hackers are dealing with a deception environment is time they're not in your network," he says.

It is possible to create a deception network that has the same IP network address as your real network, Miller says. He acknowledges deception nets carry obvious administrative burdens, such as the need to generate realistic traffic to fool a hacker and maintain a network no one really uses. He notes the risk that administrators will lose track of what's real and what's not.

These deception techniques have doubters. Steve Manzuik, security analyst at BindView, appreciates the work being done by The Honeynet Project and would like to contribute, but he remains skeptical.

"It's not clear yet you can fool a lot of people with this deterrent," he says.

Meanwhile, hackers continue to learn new tricks.

The past year has seen the emergence of a new breed of distributed port scanners and sniffers that make it easier for attackers to hide their intent, Skoudis says.

There's now a kernel-level root-kit for Linux, called Knark, which when installed by hackers changes the operating system to hide files and present false information to administrators. And another new one, called Dsniff, can be used to capture traffic on Ethernet switches and inject traffic into a network to direct traffic to itself, known as the man-in-the-middle attack.

"It's pretty nasty stuff," Skoudis says. "For very sensitive networks, you may want to activate port-level security on your switches."

Many tools that let hackers carry out surveillance are now Web-based, according to David Rhoades, director of systems engineering at AppGate, who also spoke at the conference. "Why Web-based? It's easy. No complicated downloads or zip files. They can hack from anywhere, and it's anonymous."

While a talented few among hackers actually make attack tools, many of these tools today are freeware.

And they're posted on dozens of techie sites, not the secret underground.

BindView security analyst Manzuik says his firm late last year developed a tool to test for the so-called Naptha denial-of-service attack affecting at least seven major operating systems.

The tool, which involves launching an attack to determine operating system weakness, was given solely to vendors but somehow ended up posted on the Packetstorm site in its depository for tools.

In the wrong hands "this tool is dangerous," Manzuik says. "But that version isn't as dangerous as other versions that will be released."

Join the newsletter!

Error: Please check your email address.

More about BindviewPredictive SystemsRecourse TechnologiesVeridian

Show Comments