Previous Page Next Page

3.3. LaBrea

LaBrea, created by Tom Liston, is famous for introducing the concept of a tarpit. A tarpit is a service that tries to slow down spammers and maybe even worms by making TCP connections either very slow or by completely stalling their progress. We will discuss the interaction of honeypots and worms in more detail later, but for now it is enough to understand that more sophisticated worms cannot be slowed down by tarpits. However, tarpits work very well against simple worms that operate sequentially.

Before we explain how to get started with LaBrea, we give a brief overview of its functionality. When you run LaBrea on your network, it discovers unused IP addresses and starts answering connections to them. Once a connection has been established, LaBrea tries to hold on to the sender as long as possible. It does that by employing tricks in the TCP protocol to bring an established connection into a state where it can no longer make any progress. The reason for stalling connections is really simple. Each connection that a spammer needs to maintain on her server reduces available resources to send spam to real machines.

To detect if an IP address is available, LaBrea utilizes ARP. Whenever a router tries to deliver a packet to an IP address, it first needs to find the corresponding MAC address. If there is no host listening to the IP address, the ARPs do not get answered:

17:21:18.439376 arp who-has 192.168.1.121 tell 192.168.1.5
17:21:19.439571 arp who-has 192.168.1.121 tell 192.168.1.5
17:21:20.439765 arp who-has 192.168.1.121 tell 192.168.1.5
17:21:21.439998 arp who-has 192.168.1.121 tell 192.168.1.5


Enter LaBrea! Because ARPs get broadcast onto the whole network, LaBrea monitors the ARP requests from the router and sends its own answer if no hosts on the network respond to the IP address 192.168.1.121.

17:22:22.346430 arp reply 192.168.1.121 is-at 00:3c:2f:1e:52:6a

Now that the router has received a MAC address, it is happy to send this packet and all subsequent ones to our LaBrea host. For this work, there is one remaining problem that needs to be solved. When a host is rebooted, it might use an IP address that was already taken over by LaBrea. Fortunately, reboot hosts send a gratuitous ARP that informs everybody on the network about the new IP address: MAC binding. LaBrea relinquishes the IP address in those cases.[2]

[2] By spoofing gratuitous ARPs for all IP addresses on a network, it's possible to prevent LaBrea from intercepting any traffic. However, it might also really mess up your network.

At this point, LaBrea will receive TCP connection attempts for all unused IP addresses on a network. When it receives a SYN packet, it will establish a connection by completing the TCP three-way handshake and then stall the connection. LaBrea supports two different ways of slowing down a connection:

When a spammer tries to send e-mail via a LaBrea honeypot, the SMTP transaction will make no or only little progress. A dumb spammer will keep the connection open and waste network resources. Eventually, the spammer may go away once he notices that no progress can be made when talking to LaBrea.

3.3.1. Installation and Setup

Before you can experiment with LaBrea and try its various features, it needs to be installed on your computer. LaBrea should run fine on operating systems like Linux or FreeBSD. If you are running a system with a binary package manager like Debian, you can simply install the LaBrea package as root with:

$ apt-get install labrea

On the other hand, if you like to run the latest version, you can always get the source code and compile it yourself. The following steps will get you up and running:

1.
Make sure that you have all dependencies installed. LaBrea requires libdnet and libpcap. You can download the latest version of libdnet from libdnet.sourceforge.net/, and libpcap can be downloaded from www.tcpdump.org/.

2.
Extract the source packages with tar -xzf <package>.tar.gz.[3]

[3] As a security-conscious user, you should also verify that the digital signature corresponding to the packages is correct. You might have to install a tool like gpg and obtain the right public key. If this sounds complicated to you, we completely agree and can only say that security is still a mess. To be safe, use a package manager instead.

3.
For each package, enter the package directory and then execute ./configure, make, and sudo make install.

4.
Find and download the latest release of LaBrea from labrea.source-forge.net; if you have gpg installed, you should also download the digital signature and verify the integrity of the package.

5.
Extract LaBrea with tar -xzf labrea-<version>.tar.gz.

6.
Configure the package by entering the source directory and executing ./configure.

7.
Compile the binary with make and then install it with sudo make install. If you do not have sudo installed, then execute the command after it becomes root.

The binary should now be installed.

If everything went all right, LaBrea should now be up and running now. Figure 3.1 shows an example run. We tell it to run in the foreground and provide plenty of debug output. One word of caution: If you do not specify a configuration file that excludes the IP address ranges handed out by your DHCP server, LaBrea might take over all of your DHCP address space and could prevent regular users from using your network.

Figure 3.1. First time running LaBrea.

$ sudo labrea -v -i eth0 -sz -d -n 192.168.1.128/25
Sun Feb 26 17:49:20 2006 User specified capture subnet / mask: \
 192.168.1.128/25
Sun Feb 26 17:49:20 2006 LaBrea will attempt to capture unused IPs.
Sun Feb 26 17:49:20 2006 Full internal BPF filter: arp or (ip and ether \
 dst host 00:00:0F:FF:FF:FF)
Sun Feb 26 17:49:20 2006 LaBrea will log to syslog
Sun Feb 26 17:49:20 2006 Logging will be verbose.
Sun Feb 26 17:49:20 2006 Initiated on interface: eth0
Sun Feb 26 17:49:20 2006 Host system IP addr: 192.168.1.6, MAC addr: \
 00:1a:3c:be:78:2c
Sun Feb 26 17:49:20 2006 ...Processing configuration file
Sun Feb 26 17:49:20 2006 ... End of configuration file processing

Sun Feb 26 17:49:20 2006 Network number: 192.168.1.128
Sun Feb 26 17:49:20 2006 Netmask: 255.255.255.128
Sun Feb 26 17:49:20 2006 Number of addresses LaBrea will watch for ARPs: 127
Sun Feb 26 17:49:20 2006 Range: 192.168.1.128 - 192.168.1.255
Sun Feb 26 17:49:20 2006 Throttle size set to WIN 10
Sun Feb 26 17:49:20 2006 Rate (-r) set to 3

					  

Fine-tuning the behavior of LaBrea takes a little bit of work. LaBrea understands the following command-line options. In the following, we will explain the parameters in detail and provide some practical examples later on.

These are the most important options, but LaBrea supports others. If you want to find out more, consult LaBrea's documentation or FAQ. The command line options do not allow you to configure all aspects of LaBrea. You also need to know about its configuration file. The format of it configuration file its very simple. Each line contains two tokens. The first is either an IP address or a port number followed by one of these directives:

Instead of IP addresses or port numbers, it's also possible to specify ranges. Figure 3.3 shows a simple configuration file for LaBrea. We prevent two production machines — 192.168.1.1 and 192.168.1.2 — from being captured by LaBrea. We also ignore all connection attempts from 192.168.3.0/24, as we might not want to confuse scanners that come from it. We also ignore all traffic to low-numbered ports. Usually, there is nothing interesting in that port range anyway.

Figure 3.3. Sample network configuration for LaBrea that protects some hosts from being captured.

# Production hosts that we do not want captured
192.168.1.1 exclude # nameserver
192.168.1.2 exclude # webserver

# Do not capture scans from the security department
192.168.3.0/24 exclude # network belonging to secops

# Ignore traffic to some uninteresting ports
0-20 portignore

3.3.2. Observations

With the explanation of the command-line options and the preceding configuration file format, you should be able to figure out which settings to use for your environment. If everything has been configured correctly, you should see LaBrea responding to pings and capturing IP addresses:

Sun Mar 19 00:21:15 2006 Responded to a Ping: 10.1.13.16 -> 172.168.8.81
Sun Mar 19 00:21:16 2006 Responded to a Ping: 10.1.13.17 -> 172.168.8.81 *
Sun Mar 19 00:21:17 2006 Responded to a Ping: 10.1.13.18 -> 172.168.8.81
Sun Mar 19 00:22:11 2006 Current average bw: 50 (Kb/sec)
Sun Mar 19 00:22:33 2006 Capturing local IP 172.168.8.27
Sun Mar 19 00:22:36 2006 Capturing local IP 172.168.8.35


LaBrea is going to work the best for you if your network is not behind a firewall. Probes and exploit attempts are often seen on the following ports: 135, 139, 137, and 445. However, these are also the ports that are most often filtered. As we show later, e-mail spammers are more likely to send you traffic when your virtual honeypots are running some kind of mail relay. Unfortunately, a tarpit is not very likely to invite return visitors.

Another complication to keep in mind is the common use of DHCP to allocate IP addresses. LaBrea will take over IP addresses in the DHCP address range that are not currently in use. However, DHCP servers tend to ping an IP address first before handing it out. The unfortunate result is that LaBrea replies to the ping that confuses the DHCP server. Over time, as users return their leases, LaBrea will take over the whole DHCP address space. If you know which addresses are used by your DHCP server, you should exclude them in the configuration file.

Previous Page Next Page