News from PANUG - September 21, 2001 http://panug.org FRONTPAGE LIMITATIONS Here's a snippet from Page 2 of the Microsoft User License for Frontpage: You may not use the Software in connection with any site that disparages Microsoft, MSN, MSNBC, Expedia or their products or services, ... http://www.tss.northwestern.edu/select/mspur.pdf Say goodbye to freedom of speech. Good thing that Microsoft is not running or influencing our government. HONEY POTS by Ed Sawicki At last night's meeting, the issue of honey pots came up briefly. Coincidentally, an intriguing new breed of honey pot, called LeBrea, was released yesterday. But first, some words about honey pots for those of you that were not at the meeting. A honey pot is a computer that appears to be an innocent victim but is instead there to provide a deliberate target for attackers. Honey pots were originally used by researchers who wanted to study how attackers broke in to computer systems. They are now also used by network administrators and security-oriented people to help protect the other computers in a network by appearing to be a more provocative or easier target. Honey pots often have TCP and UDP ports open that attackers have experience breaking in to, such as FTP, telnet, and the NETBIOS ports. Some honey pots make the attacker believe that he or she has really broken in but logs their actions. The benefit is while the attackers are busy focusing their efforts on the honey pot, you can be spending your time studying what they do so you can better protect your real systems. But now there's LeBrea - something different. Not a honey pot by conventional definition. LeBrea, like the famous tar pits of the same name, is designed to trap attackers by holding on to their TCP connections. LeBrea is not intended to trap human targets - someone running telnet, for example, and trying to break in to your system. It's goal is to trap programs, like port scanners and infected IIS servers, that are probing the IP address space searching for victims. The idea is to hold on and not let go so the attacker can't move on to it's next target. LeBrea uses techniques related to TCP three-way handshaking. During the handshake process, LeBrea essentially stalls for time - telling the remote host to "please wait, I'll get back to you shortly". Just before the remote host is about to lose its patience, LeBrea responds with another "please wait" packet. This can continue endlessly because most TCP/IP stacks are not that smart. This reminds me of the joke where you give people a piece of paper with the words "please see other side" written on both sides. If they turn the piece of paper over more than once, you get an idea of the level of intelligence you're facing. Most TCP/IP stacks will turn the paper over forever. Note that Linux users can tweak many TCP and IP parameters to adjust, for example, timeouts. Windows does not give the same degree of control. This technique works using surprisingly very little bandwidth. The author of LeBrea says that it would take only 1000 computers running LeBrea to capture and hold all the current infected IIS servers. LeBrea is supplied in source code form and can run on Unix systems such as Linux. http://www.incidents.org/LaBrea/ WINDOWS XP RAW SOCKETS by Ed Sawicki Putting my vendor hat on and shamelessly plugging my own company: When Windows XP is released with its raw sockets "feature", we'll be in for a barage of attacks that will make these IIS attacks pale in comparison. This is because raw sockets allow programmers to bypass TCP and UDP and access IP directly. They'll be able to manufacture any packet type they wish. The possibilities for attack are vast. It's possible and likely that the attackers may think of attack senarios that commercial firewall vendors or your in-house security staff have not yet envisioned. In situations like this, Linux is a powerful tool because it allows you to cobble together solutions quickly - as long as you know how. If you need help with your cobbling, give me a call - 503-635-6370.