64 %
36 %
Information about dtk

Published on September 13, 2007

Author: Belly

Source: authorstream.com

DTK ---Deception toolkit:  DTK ---Deception toolkit Fangfang Zhang 1.Background:  1.Background Background :  Background Throughout the history of war, deception has been a cornerstone of successful offense and defense. The history of information system attack is almost entirely a history of deception in which attackers deceive, and defenders are open and honest. Background:  Background Perhaps one of the most important points to be brought out in this regard is that out of 140 defensive techniques, only one in ten could be considered deceptive in nature, while about half of the attack techniques involve deception. It is also important to understand that most of the defensive deception is only peripherally deceptive. some areas of cryptography Deception is underutilized in information protection How effective deceptions are created :  How effective deceptions are created understand the intelligence capacities of the attacker Find ways to cause their intelligence operations to go awry in desired ways. A set of redundant and seemingly independent sources of information that are trusted and verifiable by the attacker are exploited in order to create a total picture that deceives on a broad scale. 2.Introduction:  2.Introduction 2.1What is DTK:  2.1What is DTK 1997 Opensource Perlandamp;C DTK simply listens for inputs and provides responses that seem normal. In the process, it logs what is being done, provides sensible (if not quite perfect) answers, and lulls the attacker into a false sense of (your) insecurity. DTK currently has the following components: :  DTK currently has the following components: Generic.pl - a generic interface that works via tcp wrappers to service incoming requests. listen.pl - a port listener that listens to a port and forks slave processes to handle each inbound attempt. logging.pl - the subroutines and initialization for logging what happens. respond.pl - the subroutine for responding based on 'response' file content. notify.pl - a sample program to notify administrators of known attacks by email. coredump.c - produces a coredump message on a port (what a fakeout). deception.c - working on a C version of the program - don't even think about compiling it yet. makefile - makes the C programs into executables - truly trivial. [nn].response - the responder finiate state machine for each port. This takes some understanding of finite state machines @[nn].[something] - a response file for non-trivial outputs. @fake.passwd - a fake password file that nobody will ever be able to decode. expandlog.pl - expand's compressed logfiles into more readable form DTK GUI 1.1:  DTK GUI 1.1 New DTK GUI:  New DTK GUI What kind of fancy features does it have? :  What kind of fancy features does it have? compressed log files that save about half the space taken up by most logfiles without any loss of information - and a program to expand the compressed logs into the normal uncompressed format timeouts and limits on inputs everywhere so that resource exhaustion is naturally defended against built-in detection and reporting of port scanning 2.2Purpose:  2.2Purpose It is designed primarily to provide the average Internet user with a way to turn on a set of deceptions in a few minutes that will be effective in substantially increasing attacker workloads while reducing defender workloads. In it's off-the-shelf form, DTK is designed to provide fictions that are adequate to fool current off-the-shelf automated attack tools into believing that defenses are different than they actually are. Slide13:  DTK is not intended to be the end-all to deceptions in information systems. It is only a simple tool for creating deceptions that fool simplistic attacks, defeat automatic attack systems, and change the balance of workload in favor of the defender. 2.3 How does it work? :  2.3 How does it work? DTK is a State machines. DTK simply listens for inputs and provides responses that seem normal (i.e., full of bugs). In the process, it logs what is being done, provides sensible (if not quite perfect) answers, and lulls the attacker into a false sense of (your) insecurity. Basic Idea:  Basic Idea The deception is intended to make it appear to attackers as if the system has a large number of widely known vulnerabilities. attack tools automatically scan for known vulnerabilities find what appear to be large volumes of vulnerabilities. When the attacker tries to interpret the results, there is not enough information to tell which of the detected vulnerabilities are real, and the number of detected vulnerabilities is very high. The attacker is then faced with spending inordainent amounts of time trying to figure out which of the indicated attacks really work State machines :  State machines The design of the state machines used in generating deceptions can be done so as to easily reveal the severity and intent of the attacker in terms of malice, while automatically suppressing false positives by giving them differentiable state numbers. I Explain by [nn].response :  Explain by [nn].response The [nn].response file describes to listen.pl and Generic.pl (and some day - maybe - deception.pl) how to respond to inputs. Explain by an log example:  Explain by an log example 23 23 1998/04/02 05:34:23 8041 8041:1 listen.pl S0 - - - +3 - - 8041:1 - S1 root - - - +1 - - 8041:1 - S2 toor - - - +2 - - 8041:1 - S3 ls - - - +2 - - 8041:1 - S3 df - - - +4 - - 8041:1 - S3 cat /etc/passwd - - - +0 - - 8041:1 - S4 NOTICE //dtk/notify.pl 23 4 Email fred at all.net Just sent a password file to an attacker - t! 2.3 Effects: :  2.3 Effects: It increases the attacker's workload It allows us to track attacker attempts at entry and respond before they come across a vulnerability we are susceptible to. It sours the milk - so to speak. If one person uses DTK… If a few others start using it... If a lot of people use DTK… Effects--continue:  Effects--continue If enough people adopt DTK and work together to keep it's deceptions up to date, we will eliminate most sophisticated attackers, and all the copy-cat attacks will be detected soon after they are released to the wide hacking community. Reduce the 'noise' level of attacks to allow us to more clearly see the more serious attackers and track them down. Effects--continue:  Effects--continue If DTK becomes very widespread, one of DTK's key deceptions will become very effective. This deception is port 365 . The Effect of DTK on Denial of Services The Effect of DTK on False Positives and Determining Attacker Severity and Intent 2.4Limitation:  2.4Limitation DTK's deception is programmable, but it is typically limited to producing output in response to attacker input in such a way as to simulate the behavior of a system which is vulnerable to the attackers method. DTK is clearly limited in the richness of the deceptions it can provide. Limitation--continue:  Limitation--continue It is simple to differentiate between a real computing environment and the limited capabilities demonstrated by a finite state machine with a small number of states. Against most modern automated attack tools, this is adequate. But against a serious attacker, differentiation even by an automated tool would be a simple matter. 2.5Two problems for the designer of automated attacks against deceptive defenses such as DTK. :  2.5Two problems for the designer of automated attacks against deceptive defenses such as DTK. The first problem is generating automation that differentiates between deceptions and real services. The second problem is finding a way to succeed in the attack before the defender is able to react. 3.From Honey Pots to the Deception ToolKit :  3.From Honey Pots to the Deception ToolKit Slide26:  Early 'honey pot' systems were based on the idea of placing a small number of attractive targets in locations where they are likely to be found, and drawing attackers into them. Slide27:  The original Deception Toolkit (DTK) provided some relief from the low probability of encountering a deception and the extreme localization of deceptions under previous honey-pot systems Slide28:  Summary:  Summary 1.Background 2.Introduction 3.From Honey Pots to the Deception ToolKit Slide30:  END Thank you

Add a comment

Related presentations

Related pages

DTK 1888 e.V. - Startseite

Jedes DTK-Mitglied kann zum Vorzugspreis von 39,00 €, inkl. Versicherungssteuer und ohne Selbstbeteiligung, seine(n) Teckel versichern. Ab drei Teckeln ...
Read more

DTK - dante.de

TeXnische Dienstleistungen Analog zur TUG und ihrer TUGboat besteht für Mitglieder die Möglichkeit, für 20,– € in einem Jahrgang der DTK (maximal ...
Read more

DTK Computer

Download DTK Logo formats ; Press Release. News Releases; Press Release Advertisements; Support. Download Area. ... © 2016 DTK Computer. All rights reserved.
Read more

DTK 1888 e.V. | Welpensuche

Welpensuche. Neue Würfe (sieben Tage oder jünger): 46 Neue Würfe aufrufen. Hier können Sie angeben, nach welchen Kriterien gesucht werden soll.
Read more

Willkommen ⋆ Dieter Thomas Kuhn & Band

Dieses Jahr versüßen wir euch die Vorweihnachtszeit jeden Tag aufs Neue! Denn zum ersten Mal gibt es von uns für Euch den DTK – Adventskalender!
Read more


herzlich willkommen auf der Homepage des DTK-Landesverbandes Rheinland-Pfalz/Saarland e.V. Diese orientiert sich an der Website unseres Dachverbandes, dem ...
Read more

deutschetelekabel | Wohnungsunternehmen

Für Ihre bestmögliche Versorgung haben sich 2014 mit der DTK Deutsche Telekabel GmbH und der PrimaCom Berlin GmbH zwei innovative Unternehmen der Branche ...
Read more

Home | DTK

DTK - professionelle Transporte und Qualität auf allen Wegen! Eine gute Zusammenarbeit beginnt mit dem Vertrauen. Dies ist der wichtigste Grundstein für ...
Read more

DTK Teckel Liebhaberzuchtstätte vom Kloster-Hof ...

DTK Dackel Liebhaberzucht für Wesen Schönheit und Gebrauch, Hude
Read more

DTK Gruppe Koblenz e.V. - Startseite

Willkommen auf der Homepage des DTK 1888 e. V. der Gruppe Koblenz.
Read more