A honeypot is software that attracts hostile activity by masquerading as a vulnerable system. While it's running, the honeypot gathers information about attackers and their techniques and patterns. Honeypots distract crackers from more valuable machines on a network, and provide early warning about attacks and exploitation trends.
LaBrea was conceived in the aftermath of the Code Red worm attack in July 2001, when software developer Tom Liston posted an idea on the INTRUSIONS list at incidents.org for a means of combatting the constant scanning of his IP addresses and ports. A port scan is a method used by crackers to determine what ports are open or in use on a system in a network. By using various tools a cracker can send data to TCP or UDP ports one at a time. Based on the response received the port scan utility determines if that port is in use. The cracker uses this information to focus his efforts to exploit weaknesses on the ports that are open.
Liston's idea got a positive response from Mihnea Stoenescu, who used a modified version of a comprehensive security program called Couic. Tom hacked Couic for his purpose and called it CodeRedneck. He further improved CodeRedneck to fake machines with fake vulnerabilities -- in essence creating the honeypot which he now called LaBrea.
LaBrea keeps a watch to see if someone is trying to find a free IP address on your network. LaBrea looks for address resolution protocol (ARP) requests without any ARP replies to see whether that IP is in use. When LaBrea sees this behavior it assumes this is a cracker port-scanning your system, and creates an ARP reply with a bogus MAC address and sends it back to the requester. This helps determine the IP address of the port scanner.
LaBrea then listens to all incoming traffic to the bogus MAC address it just created. To convince the attacker that he is talking to a real machine, LaBrea allows TCP connections. The cracker sends an SYN (synchronize) packet, which is acknowledged with a SYN/ACK (acknowledgment). You can configure LaBrea to keep track of its activity in a log file or display it on your screen.
Please note that there are legal implications in some countries for using honeypots. For instance, some countries have laws against wiretapping, and in one sense, implementing a honeypot can be seen as a serious violation of wiretapping law [why?].
Setting it up
As root, first install the libdnet RPM:
rpm -i libdnet-1.7-0.1.fc2.dag.i386.rpm
Next extract the LaBrea tarball and install it:
tar -zxvf labrea-2.5-stable-1.tar.gz cd labrea ./configure --wth-libdnet=/usr make make install
LaBrea also needs to be run as root.
LaBrea has lots of switches. Understand which ones to use for better results. For instance:
labrea -i eth1 -o -v -z
This invokes LaBrea in the verbose (
-v) mode sending all the log info to stdout (standard output) instead of syslog (
-o). To specify which interface LaBrea listens to, specify the
-i switch. The
-z option turns off nag messages that your LAN cards might not support.
Testing the setup
To test your new software, find a machine on your network and try to ping an unused local IP address. After three 'Request timed out' messages you should start getting a response. You can increase or decrease the time period that LaBrea takes to respond using the
On the machine you just set up, you'll see the IP address of the machine from which the ping originated.
Now for the real stuff. Run Nessus on a free IP address. It'll find the address as valid. On my network it reported security holes and security warnings on my unoccupied IP! Nmap showed more than 2,000 open ports and the services running on the virtual machine!
A honeypot like LaBrea is a useful security tool that complements intrusion detection systems and firewalls.
Mayank Sharma is a freelance technology writer and FLOSS migration consultant in New Delhi, India.