'Decoy nets' gain backers in battle against hackers

ORLANDO -- As hackers obtain ever more dangerous and easy-to-use tools, they are being countered by novel defense strategies. Witness the experimental idea of setting up a decoy network separate from your real one to fool intruders as they try to fool you.

This so-called deception network is envisioned as more than just a single server set up to be a "honey pot," where hackers may break in, find a dead end and have their activities recorded with an eye toward prosecution. Rather, the decoy net is an entire fake network, complete with host computers on a LAN with simulated traffic, to convince hackers for as long as possible that it's real.

Experts debate whether such networks will be worth the effort, but acknowledged that they might slow hackers long enough to sort the curious from the truly destructive.

A group calling itself The Honeynet Project has quietly begun testing decoy networks on the Internet and soon plans to publish a paper on how to build one.

According to Ed Skoudis, chief security strategist at Predictive Systems Inc. in New York, the idea is the brainchild of Sun Microsystems Inc. security consultant Lance Spitzner. "We set up honey pots to watch hacker activity," says Skoudis, who participates in the invitation-only group and spoke about new hacker tools and defenses at last week's InfoSec show.

The Honeynet Project isn't intended to prosecute intruders who haplessly wander into their elaborate decoys, but to study hacker responses in depth to devise the best decoy defenses. There are only a few commercial honey pot-style products on the market, including CyberCop Sting from Network Associates Inc. in Santa Clara, Calif., and ManTrap from Recourse Technologies Inc. in Palo Alto, Calif.

Other decoy networks do slow intruders with an eye toward collecting evidence to prosecute them, says Rusty Miller, an executive at Veridian Information Systems.

"To collect evidence, you need to divert the hacker to a deception network," says Miller, who claims to have built deception networks for secretive government agencies. He says the idea is to feed back information about what hackers do to a "deception central" for network administrators. "The time the hackers are dealing with a deception environment is time they're not in your network," he says.

It is possible to create a deception network that has the same IP network address as your real network, Miller says. He acknowledges deception networks carry obvious administrative burdens, such as the need to generate realistic traffic to fool a hacker and maintain a network no one really uses. He notes the risk that administrators will lose track of what's real and what's not.

These deception techniques have doubters. Steve Manzuik, security analyst at BindView Development Corp. in Houston, says he appreciates the work being done by The Honeynet Project and would like to contribute, but he remains skeptical.

"It's not clear yet you can fool a lot of people with this deterrent," he says.

Meanwhile, hackers continue to learn new tricks.

The past year has seen the emergence of a new breed of distributed port scanners and sniffers that make it easier for attackers to hide their intent, Skoudis says.

There's now a kernel-level root kit for Linux, called Knark, which when installed by hackers changes the operating system to hide files and present false information to administrators. And another new one, called Dsniff, can be used to capture traffic on Ethernet switches and inject traffic into a network to direct traffic to itself, known as the "man-in-the-middle" attack.

"It's pretty nasty stuff," Skoudis says. "For very sensitive networks, you may want to activate port-level security on your switches."

Many tools that let hackers carry out surveillance are now Web-based, according to David Rhoades, director of systems engineering at Sweden-based AppGate AB, who also spoke at the conference. "Why Web-based? It's easy. No complicated downloads or zip files. They can hack from anywhere, and it's anonymous."

While a talented few among hackers actually make attack tools, many of these tools today are freeware.

And they're posted on dozens of techie sites, not the secret underground.

BindView's Manzuik says his firm late last year developed a tool to test for the so-called Naptha denial-of-service attack affecting at least seven major operating systems.

The tool, which involves launching an attack to determine operating system weakness, was given solely to vendors but somehow ended up posted in the Packet Storm Web site's depository of hacker tools.

In the wrong hands, "this tool is dangerous," Manzuik says. "But that version isn't as dangerous as other versions that will be released."


Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon