Arbor Day revisited.

I originally planned to do an annual Arbor Day attack analysis, calling it A^4. I decided against using an alliteration as my pointless gimmick, and instead am going to use a backronym as my pointless gimmick.

So I present the inaugural ARBOR day post (albeit two weeks late).

ARBOR in this instance stands for Attack Response: Bastard Operator’s Revenge.

Bastard Operator refers to the BOFH, naturally.

For anyone unfamiliar, the BOFH (Bastard Operator from Hell) is a fictional character who takes great pleasure in making users’ lives miserable.

Here, we’ll talk about ways to make an attacker’s life miserable.

We’ll start with a neat little trick from John Strand…the Honeyport.

Basically, we take an unused port that might be of interest to someone who is scanning us for vulnerabilities.  Telnet (port 23) is a perfect example… you should only be using ssh anyway.  So, there is a listener waiting on port 23, and when a connection is made to the port the offending IP address is blacklisted at your firewall.  This is highly effective against threats that are specifically targeting you, but most vulnerability scans that come your way are randomly searching for any easy target.  If you blacklist them, they’ll just move on to someone else’s machine.

So how can we further annoy this attacker?  Instead of blacklisting their IP address, set up the honeyport to tarpit them!

In this situation, the attacker scans your machine’s ports and instead of just being dropped after tripping the listener, we waste their time.  Here’s the TCP session personified:

Attacker (A): “Can I connect to this port?”

Host Machine(H): “Sure thing! ”

A: “Alright Let’s get the session started.”

H: “I’ve got some data for you, just hold on a minute.”

A: “Ok….”

A: “Hello?  Is there a problem?  Can we retry?”

H: “I’ve got some data for you, just hold on a minute.”

A: “Ok….”

A: “Seriously?  Nothing?  I’m outta here”

*drops connection*

The tarpit only eats up a few seconds of time, but if it happens in the midst of an automated process (like a vulnerability scan), it has the potential to seriously tie up the attacker’s network connection.

…and that is how we celebrate ARBOR day.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s