LaBrea, created by Tom Liston, is famous for introducing the concept of a tarpit. A tarpit is a service that tries to slow down spammers and maybe even worms by making TCP connections either very slow or by completely stalling their progress. We will discuss the interaction of honeypots and worms in more detail later, but for now it is enough to understand that more sophisticated worms cannot be slowed down by tarpits. However, tarpits work very well against simple worms that operate sequentially.
Before we explain how to get started with LaBrea, we give a brief overview of its functionality. When you run LaBrea on your network, it discovers unused IP addresses and starts answering connections to them. Once a connection has been established, LaBrea tries to hold on to the sender as long as possible. It does that by employing tricks in the TCP protocol to bring an established connection into a state where it can no longer make any progress. The reason for stalling connections is really simple. Each connection that a spammer needs to maintain on her server reduces available resources to send spam to real machines.
To detect if an IP address is available, LaBrea utilizes ARP. Whenever a router tries to deliver a packet to an IP address, it first needs to find the corresponding MAC address. If there is no host listening to the IP address, the ARPs do not get answered:
17:21:18.439376 arp who-has 192.168.1.121 tell 192.168.1.5 17:21:19.439571 arp who-has 192.168.1.121 tell 192.168.1.5 17:21:20.439765 arp who-has 192.168.1.121 tell 192.168.1.5 17:21:21.439998 arp who-has 192.168.1.121 tell 192.168.1.5 |
Enter LaBrea! Because ARPs get broadcast onto the whole network, LaBrea monitors the ARP requests from the router and sends its own answer if no hosts on the network respond to the IP address 192.168.1.121.
17:22:22.346430 arp reply 192.168.1.121 is-at 00:3c:2f:1e:52:6a
Now that the router has received a MAC address, it is happy to send this packet and all subsequent ones to our LaBrea host. For this work, there is one remaining problem that needs to be solved. When a host is rebooted, it might use an IP address that was already taken over by LaBrea. Fortunately, reboot hosts send a gratuitous ARP that informs everybody on the network about the new IP address: MAC binding. LaBrea relinquishes the IP address in those cases.[2]
[2] By spoofing gratuitous ARPs for all IP addresses on a network, it's possible to prevent LaBrea from intercepting any traffic. However, it might also really mess up your network.
At this point, LaBrea will receive TCP connection attempts for all unused IP addresses on a network. When it receives a SYN packet, it will establish a connection by completing the TCP three-way handshake and then stall the connection. LaBrea supports two different ways of slowing down a connection:
Throttling: LaBrea accepts new connections but advertises a very small receiver window. The receiver window instructs the sender to not send more data per packet than the window allows. When throttling, connections still make progress, albeit slowly.
Persistent capture: LaBrea advertises a TCP receiver window size of 0 and instructs the sender to wait before sending more data. Periodically, the sender comes back and sends window probe packets to determine if the windows have opened up again. This state can persist indefinitely.
When a spammer tries to send e-mail via a LaBrea honeypot, the SMTP transaction will make no or only little progress. A dumb spammer will keep the connection open and waste network resources. Eventually, the spammer may go away once he notices that no progress can be made when talking to LaBrea.
Before you can experiment with LaBrea and try its various features, it needs to be installed on your computer. LaBrea should run fine on operating systems like Linux or FreeBSD. If you are running a system with a binary package manager like Debian, you can simply install the LaBrea package as root with:
$ apt-get install labrea
On the other hand, if you like to run the latest version, you can always get the source code and compile it yourself. The following steps will get you up and running:
1. | Make sure that you have all dependencies installed. LaBrea requires libdnet and libpcap. You can download the latest version of libdnet from libdnet.sourceforge.net/, and libpcap can be downloaded from www.tcpdump.org/. |
2. | Extract the source packages with tar -xzf <package>.tar.gz.[3]
|
3. | For each package, enter the package directory and then execute ./configure, make, and sudo make install. |
4. | Find and download the latest release of LaBrea from labrea.source-forge.net; if you have gpg installed, you should also download the digital signature and verify the integrity of the package. |
5. | Extract LaBrea with tar -xzf labrea-<version>.tar.gz. |
6. | Configure the package by entering the source directory and executing ./configure. |
7. | Compile the binary with make and then install it with sudo make install. If you do not have sudo installed, then execute the command after it becomes root. |
The binary should now be installed.
If everything went all right, LaBrea should now be up and running now. Figure 3.1 shows an example run. We tell it to run in the foreground and provide plenty of debug output. One word of caution: If you do not specify a configuration file that excludes the IP address ranges handed out by your DHCP server, LaBrea might take over all of your DHCP address space and could prevent regular users from using your network.
Code View: $ sudo labrea -v -i eth0 -sz -d -n 192.168.1.128/25 Sun Feb 26 17:49:20 2006 User specified capture subnet / mask: \ 192.168.1.128/25 Sun Feb 26 17:49:20 2006 LaBrea will attempt to capture unused IPs. Sun Feb 26 17:49:20 2006 Full internal BPF filter: arp or (ip and ether \ dst host 00:00:0F:FF:FF:FF) Sun Feb 26 17:49:20 2006 LaBrea will log to syslog Sun Feb 26 17:49:20 2006 Logging will be verbose. Sun Feb 26 17:49:20 2006 Initiated on interface: eth0 Sun Feb 26 17:49:20 2006 Host system IP addr: 192.168.1.6, MAC addr: \ 00:1a:3c:be:78:2c Sun Feb 26 17:49:20 2006 ...Processing configuration file Sun Feb 26 17:49:20 2006 ... End of configuration file processing Sun Feb 26 17:49:20 2006 Network number: 192.168.1.128 Sun Feb 26 17:49:20 2006 Netmask: 255.255.255.128 Sun Feb 26 17:49:20 2006 Number of addresses LaBrea will watch for ARPs: 127 Sun Feb 26 17:49:20 2006 Range: 192.168.1.128 - 192.168.1.255 Sun Feb 26 17:49:20 2006 Throttle size set to WIN 10 Sun Feb 26 17:49:20 2006 Rate (-r) set to 3 |
Fine-tuning the behavior of LaBrea takes a little bit of work. LaBrea understands the following command-line options. In the following, we will explain the parameters in detail and provide some practical examples later on.
-t (–throttle-size) datasize: Sets the advertised TCP receiver window size. The default is 10. This is the number of bytes that a remote machine is allowed to send at once. Usually, 1460 bytes of data can be transmitted in a single packet. If set to 10, the sender has to send 146 packets instead. In persist mode, the default window size is limited to 3 and affects only the sender's first packet.
-p (–max-rate) datarate: Enters persist mode in which connections are permanently captured. This can cause a lot of your bandwidth to be used. To prevent LaBrea from using too much bandwidth, you can specify a maximum data rate in Kilobytes per second. If LaBrea exceeds the bandwidth limit, connections will still be established but not captured indefinitely. In that case, the sender will retransmit the intial data packet, not receive any replies from LaBrea, and eventually time out.
-b (–log-bandwidth): This option requests that LaBrea logs the bandwidth being consumed by persist mode. Bandwidth information is logged once per minute.
-P (–persist-mode-only): Only captures connections by putting them into persist mode. When LaBrea goes over bandwidth, it does not accept any new connections — that is, new SYN packets are going to be ignored. Use this option when staying within the bandwidth limit is important.
-r (–arp-timeout) seconds: Specifies the number of seconds that LaBrea waits before it decides that an IP address is not in use. The default wait time is 3 seconds. This mode assumes that you operate on an unswitched network, which is very rare these days.
labrea [-qsXxhRHbPaflvoOV] [-i interface] [-F filename] [-m mask] [-n network] [-I myipaddress] [-E mymacaddress] [-t throttlesize] [-r seconds] [-p maxrate] <pcap filter> |
-s (–switch-safe): You need to specify this option for most modern networks that segment the Ethernet with switches. On a switched network LaBrea is not able to see all ARP replies. In safe mode, LaBrea detects if an IP address is unused by issuing its own ARP requests.
-T (–dry-run): Enters a test mode in which a lot of diagnostic information is provided but no IP addresses are being captured. If you have some trouble running LaBrea, this option provides useful feedback.
-l (–log-to-syslog): This is the default behavior for UNIX-like systems and causes all log messages to be sent to the syslog facility.
-o (–log-to-stdout): As the name implies, the option sends log messages to stdout. This option also implies that the process stays in the foreground and does not detach.
-v (–verbose): Turn on verbose mode. You will see debug messages for all IPs that have been put into persist mode or stuck into a tarpit. You can generate more verbose messages by specifying the flag twice.
-X (–exclude-resolvable-ips): Detects which IP addresses on the monitored network have reverse DNS entries and excludes them from capture. A reverse DNS entry is a strong indicator that the IP address is used by another machine. Enabling -X will increase the chance that LaBrea does not effect your network negatively.
-a (–no-resp-synack): Usually, LaBrea will reply with a TCP RST segment when it sees SYN|ACK packets. When this option is enabled, the packets are ignored silently. A SYN|ACK packet usually indicates that someone else is spoofing your IP address for distributed denial of service attacks. By sending back a RST segment, LaBrea adds to the attack. We recommend to use -a to drop SYN|ACK packets silently.
-f (–no-resp-excluded-ports): LaBrea usually responds with TCP RST to closed ports. This option drops traffic to these ports simulating the behavior of a firewall. Such ports show up as filtered during an Nmap scan. This option is off by default. Turning on this option may frustrate port scanning attempts because it takes longer to gather results on open and closed ports. We recommend turning on this option.
-x (–disable-capture): Instructs LaBrea to not capture any IP addresses via ARP tricks. It's still possible to get traffic to LaBrea by using the arp command to specify IP–MAC address mappings by hand.
-x (–hard-capture): Once LaBrea detects that an IP address is unused, the hard-capture option instructs it to never release the IP address. This causes LaBrea to answer all ARP requests to previously captured IP addresses. Use this with great caution. This option has the potential to make your DHCP server run out of address space.
-H (–auto-hard-capture): This automatically captures all IP addresses that have not been specifically excluded. You have to know what you are doing when you specify this option. If used incorrectly, it could disrupt your whole network.
–no-arp-sweep: This option suppresses the initial ARP scan of the configured network. Use it only if you are sure that there are no legitimate machines on the network or if you are concerned about generating accessive ARP traffic. LaBrea already puts some limits on the number of ARPs that it sends.
–init-file filename: Specifies the location of LaBrea's configuration file. By default, LaBrea looks for /usr/local/etc/labrea.conf on Unix systems and for LaBrea.cfg on Windows.
-i (–device) interface: If your machine has multiple network interfaces, you can select the interface from which to take over IP addresses. LaBrea usually selects the correct interface for you automatically. However, in more complicated setups, it's possible that your machine is connected to multiple networks at once.
-F (–bpf-file) filename: Specifies a file from which LaBrea should read the pcap filter instructions. The filter determines which packets are received and acted upon. Each line of the file should consist of a simple statement like host 192.168.3.10 and port 80. LaBrea concatenates all lines internally and presents them as a single filter to the pcap library.
-I (–my-ip-addr) octet.octet.octet.octet and -E: (–my-mac-addr) xx:xx:xx:xx: xx:xx: These are options required on older systems that do not allow LaBrea to discover this information itself.
-n (–network) octet.octet.octet.octet[/size]: Use this option if LaBrea is not able to discover network information from the interface or if you want to artificially reduce the size of the network that it listens to. The IP address is the address of the network, and the size specifies how may addresses belong to it. If the size parameter has been omitted, -m (--mask) octet.octet.octet.octet specifies the network mask corresponding to the IP that you provided via -n.
These are the most important options, but LaBrea supports others. If you want to find out more, consult LaBrea's documentation or FAQ. The command line options do not allow you to configure all aspects of LaBrea. You also need to know about its configuration file. The format of it configuration file its very simple. Each line contains two tokens. The first is either an IP address or a port number followed by one of these directives:
exclude: Prevents an IP address from being captured. You may want to add the IP addresses of important servers on your network to the exclude list of LaBrea. Although LaBrea has many mechanisms in place so it does not accidentally capture a live IP address, the exclude option gives you even more protection.
hardexclude: This option works only if you have started LaBrea with -h. It prevents an IP address on your network from being hard captured. This implies that LaBrea can only recapture an IP address specified here after the ARP timeout has been reached.
ipignore: This option applies to local and remote IP addresses. If a packet contains an IP address that is ignored, LaBrea will not answer to it. Instead of taking IP ranges, the ipignore feature requires that you use standard CIDR notation — for example, 10.2.3.0/24.
portignore: This option tells LaBrea to ignore traffic to the specified ports.
pmn: This option stands for port monitor and overrides the behavior of the firewall -f mode. In translation, even in firewall mode, LaBrea is going to answer to connection attempts to these ports.
Instead of IP addresses or port numbers, it's also possible to specify ranges. Figure 3.3 shows a simple configuration file for LaBrea. We prevent two production machines — 192.168.1.1 and 192.168.1.2 — from being captured by LaBrea. We also ignore all connection attempts from 192.168.3.0/24, as we might not want to confuse scanners that come from it. We also ignore all traffic to low-numbered ports. Usually, there is nothing interesting in that port range anyway.
# Production hosts that we do not want captured 192.168.1.1 exclude # nameserver 192.168.1.2 exclude # webserver # Do not capture scans from the security department 192.168.3.0/24 exclude # network belonging to secops # Ignore traffic to some uninteresting ports 0-20 portignore |
With the explanation of the command-line options and the preceding configuration file format, you should be able to figure out which settings to use for your environment. If everything has been configured correctly, you should see LaBrea responding to pings and capturing IP addresses:
Sun Mar 19 00:21:15 2006 Responded to a Ping: 10.1.13.16 -> 172.168.8.81 Sun Mar 19 00:21:16 2006 Responded to a Ping: 10.1.13.17 -> 172.168.8.81 * Sun Mar 19 00:21:17 2006 Responded to a Ping: 10.1.13.18 -> 172.168.8.81 Sun Mar 19 00:22:11 2006 Current average bw: 50 (Kb/sec) Sun Mar 19 00:22:33 2006 Capturing local IP 172.168.8.27 Sun Mar 19 00:22:36 2006 Capturing local IP 172.168.8.35 |
LaBrea is going to work the best for you if your network is not behind a firewall. Probes and exploit attempts are often seen on the following ports: 135, 139, 137, and 445. However, these are also the ports that are most often filtered. As we show later, e-mail spammers are more likely to send you traffic when your virtual honeypots are running some kind of mail relay. Unfortunately, a tarpit is not very likely to invite return visitors.
Another complication to keep in mind is the common use of DHCP to allocate IP addresses. LaBrea will take over IP addresses in the DHCP address range that are not currently in use. However, DHCP servers tend to ping an IP address first before handing it out. The unfortunate result is that LaBrea replies to the ping that confuses the DHCP server. Over time, as users return their leases, LaBrea will take over the whole DHCP address space. If you know which addresses are used by your DHCP server, you should exclude them in the configuration file.