An Improved Tarpit for Network Deception
Naval Postgraduate School Monterey United States
Pagination or Media Count:
Networks are constantly bombarded with malicious or suspicious network traffic by attackers attempting to execute their attack operations. One of the most prevalent types of traffic observed on the network is scanning traffic from reconnaissance efforts. This thesis investigates the use of network tarpits to slow automated scanning or confuse human adversaries. We identify distinguishing tarpit signatures and shortcomings of existing tarpit applications as uncovered by Degreaser a tarpit scanner, and implement improved features into a new tarpit application called Greasy. We conduct several experiments using a select set of metrics to measure the impact of implementing new tarpitting capabilities and other improvements in Greasy, particularly Greasys ability to deceive Degreaser, degree of stickiness compared to LaBrea, and potential processing overhead as observed by packet latency. Our experimental results show that we effectively mitigate the two tarpit signatures used by Degreasers tarpit identification heuristics. And although Greasy may not hold the stickiest connections, compared to LaBrea in persist mode, it successfully improves its tarpitting capabilities, while still evading detection. More importantly, the above results are obtained by deploying Greasy on an Internet-facing 24 subnet this allows us to measure Greasys ability to interact with real-world network traffic. Furthermore, Greasy offers a modularized extensible tarpit platform for future tarpit development.
- Computer Systems
- Computer Systems Management and Standards