|
LaBrea is a intrusion detection / "sticky" honey pot technology using virtual servers to detect malware. LaBrea takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet. The program answers to connection attempts in a way that the machine at the other end gets "stuck", sometimes for a very long time. LaBrea works by watching ARP requests and replies. When the pgm sees consecutive ARP requests spaced several seconds apart, without any intervening ARP reply, it assumes that the IP in question is unoccupied. It then "creates" an ARP reply with a bogus MAC address, and fires it back to the requester. An example (from a tcpdump of LaBrea running on my network): 14:18:28.832187 ARP who-has xx.xx.xx.13 tell xx.xx.xx.1 14:18:29.646402 ARP who-has xx.xx.xx.13 tell xx.xx.xx.1 14:18:31.707295 ARP who-has xx.xx.xx.13 tell xx.xx.xx.1 14:18:31.707574 ARP reply xx.xx.xx.13 is-at 0:0:f:ff:ff:ff There is no xx.xx.xx.13 machine on my network. In this case, the timeout was set to 3 seconds (its a command line parameter), and when that final "who-has" came in, the "is-at" reply that you see was generated by LaBrea. There isnt a MAC address of 0:0:f:ff:ff:ff either. It doesnt exist. But now, the router (xx.xx.xx.1) believes that there some machine at xx.xx.xx.13, and that it resides on the MAC address 0:0:f:ff:ff:ff, and so it dutifully sends packets on. In essence, weve created a "virtual machine" on that IP address. Now, LaBrea also watches for TCP traffic destined for the ether address 0:0:f:ff:ff:ff. When it sees an inbound TCP SYN packet, it replies with a SYN/ACK that "tarpits" that connection attempt. Everything else is ignored. (Well... sort of. LaBrea also tries to give its "virtual machines" some character... you can ping them, and they respond to a SYN/ACK with a RST. Theres more to it than that (obviously...) but youll need to read further. Whats New in This Release: - src/ctl.c (ctl_init_arrays): Remove call to sleep since not supposed to mix with alarm calls on linux. - src/utils.c (util_alarm), src/labrea.c: Set alarm and signal handlers after going into daemon mode so that child will get signal - src/labrea_init.c, src/lbio.c: Take out fudge code since libdnet 1.7 ethopen now uses the libdnet device names (ie eth1, etc)..
| Requirements: |
No special requirements
|
| Platforms: |
Linux |
| Keyword: |
Address, Arp, Honey Pot, Intrusion Detection, Ip, Labrea, Mac, Reply, Servers, Sticky, Syn, Using, Using Virtual, Virtual, Virtual Servers |
| Users rating: |
0/10 |
|
Windows Software
Albina Merfyn - I find this to be really easy to use. I can...
