An improved tarpit for network deception
Loading...
Authors
Shing, Leslie
Subjects
network deception, improved tarpit, Greasy, Degreaser, LaBrea
Advisors
Beverly, Robert
Rohrer, Justin P.
Date of Issue
2016-03
Date
Mar-16
Publisher
Monterey, California: Naval Postgraduate School
Language
Abstract
Networks are constantly bombarded with malicious or suspicious network traffic by attackers attempting to execute their attack operations. One of the most prevalent types of traffic observed on the network is scanning traffic from reconnaissance efforts. This thesis investigates the use of network tarpits to slow automated scanning or confuse human adversaries. We identify distinguishing tarpit signatures and shortcomings of existing tarpit applications as uncovered by Degreaser (a tarpit scanner), and implement improved features into a new tarpit application called Greasy. We conduct several experiments using a select set of metrics to measure the impact of implementing new tarpitting capabilities and other improvements in Greasy, particularly Greasy0s ability to deceive Degreaser, degree of stickiness compared to LaBrea, and potential processing overhead as observed by packet latency. Our experimental results show that we effectively mitigate the two tarpit signatures used by Degreaser0s tarpit identification heuristics. And although Greasy may not hold the stickiest connections, compared to LaBrea in persist mode, it successfully improves its tarpitting capabilities, while still evading detection. More importantly, the above results are obtained by deploying Greasy on an Internet-facing /24 subnet; this allows us to measure Greasy0s ability to interact with real-world network traffic. Furthermore, Greasy offers a modularized extensible tarpit platform for future tarpit development.Networks are constantly bombarded with malicious or suspicious network traffic by attackers attempting to execute their attack operations. One of the most prevalent types of traffic observed on the network is scanning traffic from reconnaissance efforts. This thesis investigates the use of network tarpits to slow automated scanning or confuse human adversaries. We identify distinguishing tarpit signatures and shortcomings of existing tarpit applications as uncovered by Degreaser (a tarpit scanner), and implement improved features into a new tarpit application called Greasy. We conduct several experiments using a select set of metrics to measure the impact of implementing new tarpitting capabilities and other improvements in Greasy, particularly Greasy0s ability to deceive Degreaser, degree of stickiness compared to LaBrea, and potential processing overhead as observed by packet latency. Our experimental results show that we effectively mitigate the two tarpit signatures used by Degreaser0s tarpit identification heuristics. And although Greasy may not hold the stickiest connections, compared to LaBrea in persist mode, it successfully improves its tarpitting capabilities, while still evading detection. More importantly, the above results are obtained by deploying Greasy on an Internet-facing /24 subnet; this allows us to measure Greasy0s ability to interact with real-world network traffic. Furthermore, Greasy offers a modularized extensible tarpit platform for future tarpit development.
Type
Thesis
Description
Series/Report No
Department
Computer Science
Computer Science
Organization
Identifiers
NPS Report Number
Sponsors
Funder
Format
Citation
Distribution Statement
Approved for public release; distribution is unlimited.
Rights
Copyright is reserved by the copyright owner.