An improved tarpit for network deception

Abstract

Networks are constantly bombarded with malicious or suspicious network traffic by attackers attempting to execute their attack operations. One of the most prevalent types of traffic observed on the network is scanning traffic from reconnaissance efforts. This thesis investigates the use of network tarpits to slow automated scanning or confuse human adversaries. We identify distinguishing tarpit signatures and shortcomings of existing tarpit applications as uncovered by Degreaser (a tarpit scanner), and implement improved features into a new tarpit application called Greasy. We conduct several experiments using a select set of metrics to measure the impact of implementing new tarpitting capabilities and other improvements in Greasy, particularly Greasy0s ability to deceive Degreaser, degree of stickiness compared to LaBrea, and potential processing overhead as observed by packet latency. Our experimental results show that we effectively mitigate the two tarpit signatures used by Degreaser0s tarpit identification heuristics. And although Greasy may not hold the stickiest connections, compared to LaBrea in persist mode, it successfully improves its tarpitting capabilities, while still evading detection. More importantly, the above results are obtained by deploying Greasy on an Internet-facing /24 subnet; this allows us to measure Greasy0s ability to interact with real-world network traffic. Furthermore, Greasy offers a modularized extensible tarpit platform for future tarpit development.Networks are constantly bombarded with malicious or suspicious network traffic by attackers attempting to execute their attack operations. One of the most prevalent types of traffic observed on the network is scanning traffic from reconnaissance efforts. This thesis investigates the use of network tarpits to slow automated scanning or confuse human adversaries. We identify distinguishing tarpit signatures and shortcomings of existing tarpit applications as uncovered by Degreaser (a tarpit scanner), and implement improved features into a new tarpit application called Greasy. We conduct several experiments using a select set of metrics to measure the impact of implementing new tarpitting capabilities and other improvements in Greasy, particularly Greasy0s ability to deceive Degreaser, degree of stickiness compared to LaBrea, and potential processing overhead as observed by packet latency. Our experimental results show that we effectively mitigate the two tarpit signatures used by Degreaser0s tarpit identification heuristics. And although Greasy may not hold the stickiest connections, compared to LaBrea in persist mode, it successfully improves its tarpitting capabilities, while still evading detection. More importantly, the above results are obtained by deploying Greasy on an Internet-facing /24 subnet; this allows us to measure Greasy0s ability to interact with real-world network traffic. Furthermore, Greasy offers a modularized extensible tarpit platform for future tarpit development.