Network Intrusion Detection

1
Network Intrusion Detection

• Against Internet Worms

2
LaBrea Tarpit Version 1

• Goal
• anti-scanning by confusing the scanner
• anti-worm by consuming the attackers resource
• Approach
• Suppose a SYN is destined for a non-existing
  host. The local router uses ARP to find the MAC
  address. LaBrea waits for 3 seconds and replies
  with a forged MAC address. The local router
  forwards the SYN to LaBrea, which replies with
  SYN-ACK. (anti-scanning)
• The infected host (attacker) then sends ACK and
  the attack traffic, which LaBrea does not
  respond. The infected host has to retry until
  timeout. (consuming resources).

3
LaBrea
4
LaBrea
5
LaBrea Version 2

• Instead of letting the infected host timeout its
  retransmission, LaBrea V2 sends a segment with
  window size zero, which causes the infected host
  to keep the connection open indefinitely.

6
LaBrea Version 2
7
Double-Honeypot System
Automatically separate attack traffic from the
background of normal traffic
8
Detect before Being Compromised

• N size of local address space
• h number of publicly-accessible servers
  on a particular port
• (N-h)/N probability of compromising a honeypot
  first
• h/N probability of compromising a server
  first
• (N-h)/h ratio
• When N gtgt h, it is almost certain that
• a honeypot will be compromised first.