Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tarpits for Microsoft Worms

Posted by michael on from the brer-fox-he-lay-low dept.

Digital_Quartz writes: "Wired News is reporting on a clever little tool by Tom Liston called LaBrea which uses unused IP addresses on a network to create virtual computers for worms and hackers to attack. LaBrea responds to requests in such a way as to keep the connection open forever, creating a "tarpit" in which worms like Code Red will get "stuck"."

3 of 245 comments (clear)

  1. temporary measure! by Pooh22 · · Score: 5, Insightful

    Ok, so the next version will close the connection in 1 minute. I don't see this helping in the future...

    1. Re:temporary measure! by Phil+Gregory · · Score: 5, Insightful

      Well, LaBrea operates below the level of most Windows network programs. From the program's point of view, it establishes a TCP connection to the server and issues the necessary HTTP commands. More things happen "on the wire" though. Here's a simplified timeline:

      1. Program calls connect() to reach the other host.
      2. OS's TCP/IP stack sends a SYN packet to the other host.
      3. One of several things happens:
        • The host does not respond and the connection eventually times out. Result: failed connection attempt after a short timeout.
        • The host is reachable but isn't listening on that port. It sends a RST packet. Result: The connection fails almost immediately.
        • Some other network error. At most, the connection will time out in a relatively short period of time.
        • The host is listening on the port and sends back a packet with both the SYN and ACK bits set
      4. Presuming the TCP/IP stack got a SYN ACK, it sends its own ACK and considers the connection established.
      5. The TCP/IP stack reports to the calling program the result of the connection attempt. If the three-way handshake went as normal (SYN, SYN ACK, ACK), it considers the connection open.
      6. If the connection was successful, the program starts sending data.
      7. The TCP/IP stack accepts the data, breaks it into packets to be sent, and doesn't return to the program until it's done.
      8. For each packet of data the TCP/IP stack sends out, it waits for an ACK of that packet, retransmitting the packet if it doesn't receive the ACK with a certain period of time. It will wait longer and longer after each transmission before eventually giving up on the connection altogether. The ultimate timeout on an established TCP session is relatively large (and possibly implementation-dependent; I don't remember exactly that part of the spec).

      Most firewalls only deal with the first SYN used to set up the connection. Either they reject it (send a RST) or drop it, leaving the connection to time out. La Brea responds to the initial SYN, then ignores everything else, leaving the TCP session to time out. That timing out usually takes a while (the author estimates about 15 minutes for Windows machines), and the program is unable to do anything while it's waiting for the TCP/IP stack to finish sending its data.

      Ok, enough background. The point is that, with standard programming practices, the program doesn't get to pick how long it waits before giving up. That is dependent on the OS's TCP/IP stack. The ways around it are harder. One workaround is to use raw TCP sockets (and this may not even work; I'd have to check my copies of Unix Network Programming, and they're at home). (Anyway, Windows XP will be the first WIndows to support raw TCP sockets.) The other is to use nonblocking I/O, which requires a lot more state keeping in the program. (But it would allow the program to fire off connections to a number of hosts and wait to deal with the responses as they come in.) I suspect most work writers would just count on very few people running things like LaBrea and write the simpler code.

      So, in summary: LaBrea is pretty nifty and a program can't just shorten its timeout period to get around the delay. The only workaround I can think of at the moment is nonblocking I/O, but that has its own drawbacks (and, depending on the program design, could still be slowed down by LaBrea).


      --Phil (Crazy network programmer.)
      --
      355/113 -- Not the famous irrational number PI, but an incredible simulation!
  2. Sounds interesting by rabtech · · Score: 4, Insightful

    it sounds rather interesting, but might I suggest securing the server in the first place?

    For any IIS admins out there, you need to download and install URLScan. It is a free tool put out by Microsoft. It scans incoming requests and only allows ones that meet its criteria of rules (with a default blank ruleset, all requests are discarded.)

    <a href="http://www.microsoft.com/Downloads/Release.a sp?ReleaseID=32571">http://www.microsoft.com/Downl oads/Release.asp?Rel easeID=32571</a>

    There are a variety of other methods that can be used as well, and I am currently working on a guide to security for IIS admins. It isn't that hard... take the time to do it right.

    --
    Natural != (nontoxic || beneficial)