[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fred Cohen's The Deception ToolKit (fwd)
>From comp.risks digest 19.62
> ------- Start of forwarded message -------
> Date: Mon, 9 Mar 1998 05:52:28 -0800 (PST)
> From: Fred Cohen <[email protected]>
> Subject: The Deception ToolKit
>
> I would like to announce and introduce a new security tool available for free
> from over the Internet - The Deception ToolKit - available from http://all.net/
>
> The Deception ToolKit (DTK) is a toolkit designed to give defenders a couple
> of orders of magnitude advantage over attackers.
>
> The basic idea is not new. We use deception to counter attacks. In the case
> of DTK, the deception is intended to make it appear to attackers as if the
> system running DTK has a large number of widely known vulnerabilities. DTK's
> deception is programmable, but it is typically limited to producing output
> in response to attacker input in such a way as to simulate the behavior of a
> system which is vulnerable to the attackers method. This has a few
> interesting side effects:
>
> It increases the attacker's workload because they can't easily tell
> which of their attack attempts works and which fail. For example, if
> an attack produces what appears to be a Unix password file, the
> attacker would normally run "Crack" to try to break into the system.
> But if the password file is a fake, it consumes the attackers time and
> effort to no result.
>
> It allows us to track attacker attempts at entry and respond before
> they come across a vulnerability we are susceptible to. For example,
> when the attacker tries to use a known Sendmail attack against our
> site, we record all of their entries to track their techniques. With
> this deception in place, we have no problem picking up port scans,
> password guessing, and all manner of other attack attempts as they happen.
>
> It sours the milk - so to speak. If one person uses DTK, they can see
> attacks coming well ahead of time. If a few others start using it, we
> will probably exhaust the attackers and they will go somewhere else to
> run their attacks. If a lot of people use DTK, the attackers will find
> that they need to spend 100 times the effort to break into systems and
> that they have a high risk of detection well before their attempts succeed.
>
> If enough people adopt DTK and work together to keep it's deceptions
> up to date, we will eliminate all but the most sophisticated
> attackers, and all the copy-cat attacks will be detected soon after
> they are released to the wide hacking community. This will not only
> sour the milk, it will also up the ante for would-be copy-cat
> attackers and, as a side effect, reduce the "noise" level of attacks to
> allow us to more clearly see the more serious attackers and track them down.
>
> If DTK becomes very widespread, one of DTK's key deceptions will
> become very effective. This deception is port 507 - which we have
> staked a claim for as the deception port. Port 507 indicates whether
> the machine you are attempting to connect to is running a deception
> defense. Naturally, attackers who wish to avoid deceptive defenses
> will check there first, and eventually, simply running the deceptive
> defense notifier will be adequate to eliminate many of the attackers.
> Of course some of us defenders will not turn on the deception
> announcement message so we can track new attack attempts by those who
> avoid deceptive defenses, so... the attacker's level of uncertainty
> rises, and the information world becomes a safer place to work.
>
> Your positive and helpful comments are appreciated. FC
>
> Fred Cohen & Associates: http://all.net - [email protected] - tel/fax:510-454-0171------- End of forwarded message -------
David W. Crawford <[email protected]>
Los Gatos, CA <[email protected]>