From: "David W. Crawford" <dc@panix.com>
Date: Mon, 9 Mar 1998 12:31:16 -0800 (PST)
To: cypherpunks@toad.com
Subject: Fred Cohen's The Deception ToolKit (fwd)
Message-ID: <42>
MIME-Version: 1.0
Content-Type: text/plain


>From comp.risks digest 19.62
 
> ------- Start of forwarded message -------
> Date: Mon, 9 Mar 1998 05:52:28 -0800 (PST)
> From: Fred Cohen <fc@all.net>
> Subject: The Deception ToolKit
> 
> I would like to announce and introduce a new security tool available for free
> from over the Internet - The Deception ToolKit - available from http://all.net/
> 
> The Deception ToolKit (DTK) is a toolkit designed to give defenders a couple
> of orders of magnitude advantage over attackers. 
> 
> The basic idea is not new. We use deception to counter attacks. In the case
> of DTK, the deception is intended to make it appear to attackers as if the
> system running DTK has a large number of widely known vulnerabilities. DTK's
> deception is programmable, but it is typically limited to producing output
> in response to attacker input in such a way as to simulate the behavior of a
> system which is vulnerable to the attackers method. This has a few
> interesting side effects: 
> 
>   It increases the attacker's workload because they can't easily tell
>   which of their attack attempts works and which fail. For example, if
>   an attack produces what appears to be a Unix password file, the
>   attacker would normally run "Crack" to try to break into the system.
>   But if the password file is a fake, it consumes the attackers time and
>   effort to no result. 
> 
>   It allows us to track attacker attempts at entry and respond before
>   they come across a vulnerability we are susceptible to. For example,
>   when the attacker tries to use a known Sendmail attack against our
>   site, we record all of their entries to track their techniques. With
>   this deception in place, we have no problem picking up port scans,
>   password guessing, and all manner of other attack attempts as they happen. 
> 
>   It sours the milk - so to speak. If one person uses DTK, they can see
>   attacks coming well ahead of time. If a few others start using it, we
>   will probably exhaust the attackers and they will go somewhere else to
>   run their attacks. If a lot of people use DTK, the attackers will find
>   that they need to spend 100 times the effort to break into systems and
>   that they have a high risk of detection well before their attempts succeed.
> 
>   If enough people adopt DTK and work together to keep it's deceptions
>   up to date, we will eliminate all but the most sophisticated
>   attackers, and all the copy-cat attacks will be detected soon after
>   they are released to the wide hacking community. This will not only
>   sour the milk, it will also up the ante for would-be copy-cat
>   attackers and, as a side effect, reduce the "noise" level of attacks to
>   allow us to more clearly see the more serious attackers and track them down. 
> 
>   If DTK becomes very widespread, one of DTK's key deceptions will
>   become very effective. This deception is port 507 - which we have
>   staked a claim for as the deception port. Port 507 indicates whether
>   the machine you are attempting to connect to is running a deception
>   defense. Naturally, attackers who wish to avoid deceptive defenses
>   will check there first, and eventually, simply running the deceptive
>   defense notifier will be adequate to eliminate many of the attackers.
>   Of course some of us defenders will not turn on the deception
>   announcement message so we can track new attack attempts by those who
>   avoid deceptive defenses, so... the attacker's level of uncertainty
>   rises, and the information world becomes a safer place to work. 
> 
> Your positive and helpful comments are appreciated.  FC
> 
> Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:510-454-0171------- End of forwarded message -------


David W. Crawford    <dc@panix.com>
Los Gatos, CA        <david@ricochet.net>