Using Honeypots to Fight Worms

scubacuda writes "Laurent Oudout, an active member of the French Honeynet Project (part of the Honeynet Alliance), has written a paper evaluating the usefulness of using honeypots in fighting Internet worms. (Imagine a well-constructed honeypot framework capturing a worm, redirecting worm traffic to fake services, and launching counter attacks to clean infected hosts!)"

Honeypot for lawyers

[rot26]

Sounds like a lawsuit waiting to happen, unfortunately.

Re:Honeypot for lawyers

[zasos]

nevermind... RTFA :) here's what it says in the article: Honeypots are computer elements helping to delude aggressors. On a production network, evil hackers will attack some kind of fake system, losing time in doing so and giving information about themselves and their methods [ref 4]. When a honeypot is a dedicated host uniquely used to delude aggressors, it is supposed to play no role linked to systems in production. This implies that every request directed to the honeypot is suspect. While honeypots are often thought to be used for passive analysis, they can also play an interactive role to deal with worms. Two kinds of honeypots are often used : high interaction: a kind of real host is usually almost sacrificed (called a "sacrificial lamb") on a network while waiting for any aggressor. low interaction: services and/or hosts are simulated (for example, Honeyd by Niels Provos).

Re:Honeypot for lawyers

[SirLantos]

A honeypot is a server that is intentionally left unsecure to lure a cracker in to trying to break in to it.
It is kind of like leaving your car doors unlocked in the middle of NYC and pointing a video camera at it to see who tries to steal it.

Re:Honeypot for lawyers

[ePhil_One]

If somebody is hitting me over the head with a bat, and I shoot them in the arm to make them drop the bat, that is self defense. This seems to me to be very much the digital equivalent of the bat scenario.

1) Shooting is only justified if you feel your life is in danger and you are incapable of running away. Pretty arguable point when the attacker is only weilding a bat.

2) Unless your Iron Lung is hooked to the internet, no internet attack is an attack on your life. If I steal your laptop from your trunk, you are not confered the right to break into my car. So its a pretty different situation.

Re:Honeypot for lawyers

[nate1138]

Yeah, but If I do break into your trunk, what the hell are you going to do about it? Go tell the police that somebody stole your stolen laptop?

In addition, that scenario is flawed. In the theft scenario, the crime is already complete, and what is being done is revenge (which is wrong). I think both of us have flawed analogies. A more accurate representation would be if somebody was breaking into my house, and I hit them with a fucking brick to make them stop.

Re:Honeypot for lawyers

[dollar70]

I dont know about you people, but even if I was infected by a worm, I'd rather not be hacked "just to clean up the infection"

Get a clue! If the honeypot system is trying to knock out your computer, you've already been hacked!!! Your computer has gone rogue! In fact, it's almost as bad as the dog jumping the fence and mauling people!

And don't give that sorry excuse: "so two wrongs make a right, eh?" That's no way to run the internet! The internet is supposed to attempt to fix itself when things break. If that means taking out the noise generated by a mad dog computer, then so be it!

Hey, it's not like your "infected" computer was doing you or your company much good at that point anyway, so the counter attack is irrelevant.

Re:Honeypot for lawyers

[Flamerule]

Shooting is only justified if you feel your life is in danger and you are incapable of running away. Pretty arguable point when the attacker is only weilding a bat.

Mostly wrong. For example, in the jurisdiction of New York, see this page, or Google yourself. Quote:

When one believes that the use of deadly force is justified, one has a duty to retreat before using such force if one knows one can do so with complete safety.

Running away from a guy beating you with a bat is not "complete safety". You would be entirely justified in defending yourself in this situation, and as far as the degree of that defense:

... one may justifiably use "deadly physical force" to defend herself from what she "reasonably believes to be the use or imminent use of unlawful physical force."

The question isn't even the deadliness of the assault, just its unlawfulness.

The page I linked also listed the relevant law in other jurisdictions. Of the states they list there, Delaware seems to have the most onerous requirement for the victim, in that he must retreat if he can do so "safely". All the other states either use the term "complete safety", or don't have a requirement for flight to be considered at all. That means that a victim in those states is never required to run away before wounding/killing his attacker.

Counter attacks don't work

[bobbabemagnet]

We are all well aware of Welchia and the fact that it caused nearly as much nuisance as Blaster. Let us learn from this and never again release a worm for good purposes.

Re:Counter attacks don't work

[IncarnadineConor]

That was proactive, the solution described here is reactive. Rather then using network resources searching for infected computers, it would only respond to infected computers that attempt to infect it. Seems somewhat resonable to me.

Re:Counter attacks don't work

[gorfie]

There's a difference between Welchia and this concept though. Welchia *SEEKS OUT* infected hosts, which is why it was so damaging. The honeypot would only attempt to fix machines that are already infected, it wouldn't probe and spread like Welchia.

However, as another poster said, it's a lawsuit waiting to happen. Even if the project were technically successful, some schmoe out there would try to abuse it somehow.

Re:Counter attacks don't work

[David+McBride]

The advantage here is that the server would *only* counter-attack a box with a fix if it was attacked first.

Although decidedly risky legally-speaking, it would mean that only vulnerable hosts would get contacted and have fixes forcably deployed on them -- meaning that as the original infection dies down then so too will the number of forced deployments.

The key problem with the Welchia worm is that it simply didn't go away. It continues to actively probe and scan for vulnerable machines indefinitely -- and enumerating IP addresses and attempting connections to each one generates a lot of traffic.

No, technically speaking this could be a far better solution than a self-propagating worm. Although not necessarily suitable for the 'net at large, it's definitely viable for, say, a deployment within an organisation which would therefore -- by definition -- own and be permitted to patch all the machines on the local network.

You still have to be very careful that the forced patch deployment doesn't break something else -- but that's not a new problem.

I'm going to go read the article now..

Re:Counter attacks don't work

[AndIWonderIfIWonder]

In fact the article even infers that it should be used in a department or organisation and not on the net, and mentions the ethics of such a procedure.

This script, given strictly as an example, can be improved upon by using evolved programming languages such as VBS. A longer example [ref 13] has been tested on a research network, cleaning our infected hosts in a few minutes.

Some SysAdmins were recently polled to determine if it is ethical to take active defense measures in such a targeted, counter offensive way, within a network their organizations owns. The results can be seen here [ref 14, page 29 & 32] (76 respondents).

Re:Counter attacks don't work

[pebs]

I think a honeypot such as this (or any honeypot) would be useful within an internal network. So set it up in your LAN, so that you can find out about a potential worm or intruder earlier. Launching a counterattack would be fine within an internal network, but it would be very foolish to do this on the internet -- that would get you in legal trouble.

Re:Counter attacks don't work

[silicon+not+in+the+v]

Yeah, unless the worms spoof IP addresses. That is going to open up the legal trouble when the "counter" action starts hitting wrong machines.

Re:Counter attacks don't work

[Tim+C]

Seems somewhat resonable to me.

Unfortunately, what is reasonable and what is legal are not always the same thing. Anyone considering embarking on such a project would be very well advised to consult with a lawyer before getting too far into it.

Re:Counter attacks don't work

[t0ny]

It seems perfectly obvious (to me, anyway) that eventually we will reach a point where all this will have to be done by machines; in that light, this is a step in the right direction.

When you have hackers using automated systems, remote controlled computers, etc, to do their hacking for them, we will eventually reach a point where we, too, will need to use automation to fight them.

This is the exact same pattern you see in every other area where automation is now being used: nuclear power, jet aircraft, etc. Of course, just as with those fields, people should still be required to know how to do the job manually, but the automation will be an eventual happening in networking. Im surprised its taking as long as it has.

Re:Counter attacks don't work

[davburns]

I look at the life-cycle of a worm as follows:

• Infancy: The worm starts from one computer, and begins to spread.
• Adult: The worm has tried all 2^32 addresses in the IPv4 internet. The worm continues to spread, however, as machines come and go, and may "leak" into networks not directly connected to the Internet.
• Lingering: Patches are availible and national news covers the story, so everyone knows they need to update their machines, and almost everyone does. A few leftover machines (unadministered, presumably?) keep the worm alive, though. It continues to infect forever, unless the worm suicides (and the suicide works) as long-dormant machines re-connect to the internet, or are re-installed from media of old OSes.

Counterattacks are generally not developed fast enough to deploy in the infancy phase, when they might actually be useful in giving admins a little more time to patch. Slowing the spread of a worm might be done just as effectively with standard tar-pit/sticky honey-pot methods.

Once worm reaches the adult phase (which could be literally miniutes) then all the systems on the Internet that can be infected are already infected. What point could the counterattack have? Sure, it's fun. But it's not a defensive measure (You're either immune, or already infected.) It uses more bandwidth than it saves. Dealing with counterattacks will divert the time and attention of admins from patching -- which is what they need to be doing.

Counterattacks in the lingering stange may seem tempting, especially as one looks at logs and sees evidence of year-old worms, still in the wild. Surely, no machine should be connected to the Internet while being unmaintained this long, right? I suggest, however, that the cost of these attempts is pretty small, and the potential cost of an attack is pretty big (and a self-replicating attack, even bigger!) If you really want to help, email or telephone some domain or netblock contacts, and/or their upstream ISP.

So, I don't see any real benifit from counterattacks, no matter how well intentioned. The "patch treadmill" is a terrible way of securing our Internet infastructure. Unfortunatly, it's also the only way we have, right now.

Worms too?!

[MeanE]

And here I thought they only caught bears named Poo.

Clean infected hosts?

[DrEldarion]

Launching counter attacks to clean infected hosts? I see how this could be useful for internal networks where you actually have permission to clean machines, but it had better be restricted to that network, otherwise this could cause some major legal problems...

Even better

[Anemomenous+Cowherd]

What about a P2P honeypot network? I'd think that would greatly increase the overall effectiveness.

Skynet!

[scovetta]

Imagine a well-constructed honeypot framework capturing a worm, redirecting worm traffic to fake services, and launching counter attacks to clean infected hosts
Yeah, the honeypot could proactively install patches to systems that it deemed infected, all around the world!
Sounds like Skynet. Run for the hills!

Reminds me of what AOL did

[DaneelGiskard]

Personally I don't like the "launching counter-attacks to clean infected hosts". It reminds me of what AOL did.

Still what can one do against users who do not care if they have a worm or not? Should we invet a driving-license thing for the internet, with fines for disregarding the rules? But then we would have the "internet must stay free"-activists on it again :-/

Personally I'd vote for some sort of internet driving license, without having thought much about it. But it feels like the right thing.

Oh well, babbled enough, back to work ;)

Re:Reminds me of what AOL did

[ekephart]

You may get into legal trouble for FIXING an attacker's computer. You can bet though if they don't patch, then they don't turn off unnecessary services either. Enter Windows Messaging Service. Just send them a quick note stating that their machine is infected and they would be best served to patch it.

Re:Reminds me of what AOL did

[back_pages]

I'm not sure a license to use the internet is the right solution, but there IS a huge issue of accountability these days.

I'm all for privacy and anonymity, but when 1 anonymous person has the potential to introduce a virus that can bring down a corporation's network (or neighborhood's broadband access) through sheer negligence, I very strongly start to question the limits of that privacy.

Of course, a fantastic solution to the problem would be software that doesn't have 59,000 exploits and so many features designed to "Help You Out" that actually "Screw You Sideways", we probably wouldn't be having this discussion. I can't wait for the days when operating systems are bundled 1.) for clueless home users, 2.) for clueful home users, and 3.) for geeks/programmers/sysadmins/et cetera. Then Grandma, 13 year old file sharers, and non-technical corporate workers can be given plastic flatware for software rather than chainsaws and electric knives.

Anyway, something should be done. 5 years ago I would have been vehemently against any type of internet license but these days I'm beginning to think that the solution will be that or an operating system that functions under the assumption that the end user will have no idea if his computer is hacked, hijacked, trojaned, or back doored.

Re:Reminds me of what AOL did

[Spl0it]

What AOL did was not wrong, they used there software to patch a bug. It wasn't like they opened up excell and downloaded your files. Mind you, aol could have told the users what they were planning/doing. Back to this discussion... If I'm running a network of 5000 computers, and 500 of them are dsl, or cable or dialup connections I have everyright to patch those computers on MY network, so long as I devulge this information in the Terms of the contract.!!!

idiocy

[RMH101]

so you have loads of honeypots out there waiting for worms to exploit them, then you redirect these to "fake services". Whoop-de-hoop.
I don't think worm writers are going to care very much. If they're spammers, then some more of their spam will go in the bin - but it's not costing them, so who cares?

On top of this you are definitely on crack if you think that "launching counter attacks to clean infected hosts!" is a) a good idea or b) legal.

Re:idiocy

[Afty0r]

On top of this you are definitely on crack if you think that "launching counter attacks to clean infected hosts!" is a) a good idea or b) legal.

I understand where you're coming from, but let's take an analogy : in any other walk of life, if you are attacked you are allowed to take reasonable actions to defend yourself.

If someone comes at you and other people in the street with a knife, you are allowed to wrestle the knife from him. Things such as punching him, pinning him or even breaking his arm might be viewed as perfectly reasonable by a judge - in order to prevent harm.

In the same vein, we're talking about disarming the offensive person (host) without causing any collateral damage... So why might this not be considered legal by an enlightened society?

Re:idiocy

[unixdad]

On top of this you are definitely on crack if you think that "launching counter attacks to clean infected hosts!" is a) a good idea or b) legal.

What if it's a tool that you have deployed in your network, and it just so happens that the honeypot is a little bit misconfigured, allowing it to respond to all hosts that attempt to infect it?

How is this then different from desktops that are poorly written/designed or misconfigured allowing them to spread viruses on the internet?

The purpose of the tool (virus prone desktop vs. honeypot) is a bit different, but the end result is the same (a 3rd party's computer is modified without their permission). What makes the user of the desktop more defensible than the user of the honeypot?

Smokey the Bear says...

When using your honeypot at the campgrounds, always practice safety.
Surround your honeypot with rocks to keep the fire from spreading. Be sure when
you're done with your honeypot to put it out with a bucket of water and make
sure it has stopped smoking before you leave the area.

Remember what Smokey the Bear says. Only you can prevent your honeypot from starting a forest fire.

Bad Idea

[Mortanius]

...launching counter attacks to clean infected hosts!

They're just that, 'attacks.' Unauthorized access to users' machines with the intent of installing software without the users' knowledge (even with, it makes no difference.)

It's a nice idea in spirit, the Community (I hate that term) working to automatically protect those who can't help themselves (sounds rather elitist, doesn't it). But in the end, it's no better than your average hacker / skript kiddie futzing around with your machines.

legal way to have internet connection shutoff

[Dark+Fire]

Welchia proved that good intentions can be disasterous. Even well-intentioned actions could damage someone's livelihood or equipment and open up the vigilante to criminal/civil penalties. A better approach would be a quick legal remedy that would permit one party to obtain a court order ordering the ISP of another party to cut off their internet access until they complied with the remedy (fixing the issue). The ISP is given 10 business days to notify the customer of the court order. An ISP could then try and verify the claim and file a response themselves if they find the claim unsubstantiated, or they could pass on the claim to the customer who would then would be responsible for replying. If the customer or ISP replied without properly addressing the claim or fixing the issue, they would be liable for criminal penalties and fines under the law. Wow, this whole idea ended up sounding kind of draconian which is not at all what I was going for. Any thoughts?

Automatic firewall definition update

[Goodbyte]

It is obvious that 'attacks' can ony be made inside a corporate network or similar, or else one would probably face lega consequences.

Apart from that, I think this is a great idea. You could use honeypots to automaticly update firewall filters and block further infection attempts!

Re:Automatic firewall definition update

[fuzzybunny]

Good luck. Name me one product you'd trust to automatically adjust your perimeter security.

I nearly wet myself laughing when I first saw ISS present their ideas of reactive firewall configuration based on IDS alerts. There are a number of serious issues with this school of thinking, understandable though the initial logic may be.

First off, there is currently no single piece of software in existence smart enough to intelligently distinguish malicious traffic with a high enough degree of reliability to trust it not to fuck up legitimate business operations.

Second, there are good tools out there (e.g. Snort & co.), but they're very often misconfigured--IDS are often "alibi" exercises, to allow a company to check a tick-box on an audit report ("yeah, we have an IDS. NEXT?")

Third, the moment you find someone using such a tool, assuming it existed, consider the possibilities to DoS a large corporation or network by just making it think it's under attack. You wouldn't even actually need to hit it particularly hard. You'd just make their super-duper IDS Black ICE Skynet AI shit its pants and think it's getting hammered, and decide to close down. Bang, objective achieved without even having to write a working exploit.

Know your enemy

[Twillerror]

Half the time we don't know our network is infected until it is too late, or someone complains the internet is slow.

Just having a honeypot that can alarm us to what boxes are infected is a big plus. We can take it from there.

Somehow taking the computer off the network would be a bonus as well. I wish our firewall had this functionality.

Nice try (with fixed link)

[Tom]

It is a nice attempt at active worm defense.

Unfortunately for him, I have just published a paper that shows that and how future worms will be much too fast for his - or anyone elses - manual defense methods.

In short, I've demonstrated that by the time he's starting to analyze the worm, it has already infected 90%+ of the vulnerable machines.

As soon as worm writers acquire some coding skills (most of the past worms were pathetic), all defenses that require manual actions will be too slow.

Sorry.

Re:Nice try (with fixed link)

[Tom]

How to 0wn the Internet in your Spare Time is a pretty good approach to this as well.

I've read that one, and it is referenced in my paper. :)

However, the author makes a good start in terms of preventing that initial spread.

Chapter 4.5.1 of my paper shows how to circumvent that questionabe protection.

But there are several schools of thought related to detecting anomalous traffic and, for example, shutting it off at source, or automatically rate limiting it.

That is the correct approach. Until worms earn polymorph capabilities, of course. Unless you are ready to risk a fairly large false positives quota.
Remember, most of the recent worms spread as web-traffic.

having to prepare a presentation on, you guessed it, worm spread in corporate networks

You might want to check out chapter 8.2 of my paper. There I show how to wipe out a corporate LAN in under 60 seconds.

Yes, I am serious.

Yes, imagine that..

[kcm]

wait, here it is.

fascinating article..

[herrvinny]

This honeypot can either be a "sacrificial lamb" (a normal host without the very latest updates applied on, sacrificed in expectation of an attack), or just a simulation of services.

If a host had the latest patches applied, wouldn't it be immune from attack? Didn't MS release the patch for the RPC exploit months before the virus came out? I think it would be better to have a small network of 6-8 computers (wouldn't have to be much, just get a rack off Ebay and a few of those mini-itx components, load em in, don't need a fan, case, etc) and have each computer at varying levels of patches. One computer is patched every day, one patched every two weeks, etc. There isn't enough time to customize a computer to be infected by the worm; by the time you hear about it, the worm has already infested millions of computers.

They also should look more into that counterstrike idea. Seriously, if you attack my computer, even if you didn't know about the virus, then I have the right to self defense. I'll gladly install some of that counterstrike software when I set up a honeypot. You're PO'ed because I attacked your computer? You attacked me first. I'm only exploiting the same vulnerability the worm did. If you were a SMART web citizen, you would have gotten a firewall to protect yourself from the worm in the first place.

Re:Legalaties

[ViolentGreen]

I would think and hope that it is not. It is still an intrusive attack on another machine and an invasion of privacy.

Even if this eventually is used (and I hope to God it's not) there would have to be all kinds of of legislation defining "good" worm and "bad" worms.

Can you imagine the government sitting aournd trying to do this?

Also, who decides what is removed? What's to keep someone from saying, "downloading mp3s is illegal, we are going to write a "good" worm to remove mp3s without drm?" Sure that is a bit extreme but this would cause more problems then it's worth.

Attractive Nuisance

[supersmike]

The Internet in general is an attractive nuisance to script kiddies.

Honeypot

I work for a large UK ISP and we have had honeypots in use since the blaster outbreak - they work well.

If a user is infected and randomly attacks IPs within our network, they eventually hit one of the honeypots. The honeypots flag their account and when they next reconnected they are sent to a 'walled garden' - a dummy DNS RADIUS community where they can only get one webpage, that advises them that they have a virus and provides a download section for removal tools. When they have downloaded all necessary patches, they are automatically removed from the walled garden (using apache logs and RADIUS trace IPs to link the download with their account) and allowed back on the network.

There's no legal issues involved with us - we are a residential ISP and stuff like this is covered in T&Cs.

Re:Honeypot

[mbklein]

When they have downloaded all necessary patches, they are automatically removed from the walled garden (using apache logs and RADIUS trace IPs to link the download with their account) and allowed back on the network.

So as long as I get my prescription filled, you'll let me out of quarantine? Great! I don't actually have to take my antibiotics, as long as they're nearby.

Re:Honeypot

[VertigoAce]

I assume that they can get themselves quarantined again if they continue to disrupt the network. And I'd imagine that your account would be flagged so that an administrator would know it's been taken off more than once.

Good article

[lamj]

Overall a very good article. The article could have touch upon the ability for honeypot to help create IDS signature. At current technology level, IDS are mostly still signature based and early detection with honeypot to help with creating IDS signature is very important.

For active countermeasure (or attack), this has to be done VERY carefully. Remember Max Vision? It's good to fix your own machines, and make sure you only attack and fix yours. Access to unauthorized machines are almost always illegal. If one of your boxes got hacked, the incident response team should get involved and do their investigation, auto-patching without investigation can be a risky thing because you just don't know the extend of the problem. When you fix it, the hacker could have backdoor installed on your box.

Yeah...

[inertia187]

I wrote about that too. Mine is implemented using a simple Servlet.

Legal implications of counter-attack? NOT!

[Not_Wiggins]

To be perfectly honest, there's no legislation to go after the "Joe Average Infected Computer User" for spreading the original worm. What makes you think they'd be all set to jump on (supposed) "White Hats" with systems that only respond to attacks in an effort to stem them (technically "illegal" or not)?

Before I had a webserver up-n-running doing useful stuff, I had Code Red Vigilante running on port 80; it felt good knowing that machines that had tried to infect me were being warned that they were infected... you know, trying to be a good netizen and enlighten my fellow surfer.

Of course, I was able to do that because I could look through the Java code I was installing and determine exactly what that code was doing (ie, not fall victim to a socially engineered attack where I mistakenly INSTALL someone's worm code on my computer!)

No... the real question won't be how this all gets sorted out legally; we'll figure out how to use technology to stop this crap before any law gets passed to "protect me."

The real question will be how do we protect the average person in the interim without making them easily exploitable targets for malicious anti-worm code that is, in essence, a socially-engineered worm attack in its own right.

Nice try indeed - an internet immune system! :-)

[Juggler]

Actually, that's only assuming that you have a relatively passive system.

If you actively update the "defense boxes" with all the latest exploits and then configure it to use it's full arsenal to take down any attacking hosts (e.g. by making all exploits simply turn off networking on the target machine), then you'll have a very high success rate indeed. Then only worms exploiting previously unknown holes on otherwise fully patched machines will be able to run unchecked. This raises the bar for worm writers by an order of magnitude... or two.

Note that I'm suggesting that the "counter attack" would be simply disable networking on the infected host. This is easier to get right than any sort of complex cleanup, thus lowering the odds that you'll break the infected machine. Also, a machine which keeps dropping off the network will eventually get attended to by a technician, who will hopefully disinfect and patch it properly.

This would also have the beneficial side-effect that worm authors would be forced to close the holes they exploit in order for their worms to live. This would suddenly mean that worms and viruses would be competing against each other instead of coexisting peacefully.

Frankly I hope someone writes such a thing and a government body or group of white hats simply deploys it. Or both. Then the internet will finally have an immune system.

How I dealt with Welchia

[skinfitz]

We got caught out by Welchia by someone kindly connecting an infected laptop directly into the network behind the firewalling. Ironically this was possible due to a mistake in SMS package deployment (was done hastily - my fault).

My solution was to deploy honeypot windows machines running snort which reported into a central SQL server database.

Using Windows scripting host, I then wrote a script that ran periodically on a network management workstation which queried the database, creamed off the last machine that was an infector and using the wonderful free PS Tools from Sysinternals automatically determined what OS the machine was running (PSInfo), updated its antivirus signatures (PSExec), de-wormed the machine using the Symantec "FixWelch" utility (again using PSExec), decided if the machine was up to service pack spec (data from PSInfo) and if not service packed it (PSExec) then applyed the patches to prevent re-infection (PSExec).

All worked a treat.

I'm kind of glad we got hit because as a result I can now insist machines get patched (previously people would complain about a "box on the screen" (SMS installer)) while also being able to remove machine admin rights across the board and ban any machines that are not ours from being connected on pain of a disciplinary offence.

A lot of work but ultimately, I WIN. MOO HAR HAR!!

LaBrea extended

[tliston]

I have recently begun beta testing of an extended-functionalty version of my original Open Source application, LaBrea, mentioned in the article. The new software, known as LaBrea Sentry, uses the same methods of trapping and holding connection attempts by worms and scanners. It also proactively defends real machines from attack from those same worms and scanners as well as communicating all log information to a central server which provides updated "Bad Guy" lists to the entire network of Sentry boxes. Scanning IPs that make it onto the "Bad Guy" list are blocked from access to all monitored networks while they continue to scan. (And before you even ask, yes, there are many safeguards on the system to prevent spoofing...)

In initial tests, the system knocked down 94.7% of the scripted, scanning attacks against a live webserver, BEFORE those attacks ever made it to the server or IDS logs. That's what it's designed for: not to replace firewalls or IDS systems, but to simply cut down on all of the crap that they see...

Note: There seems to be a great deal of confusion about the "countermeasures" mentioned in the article. In the case of both LaBrea and LaBrea Sentry, these are "passive" countermeasures, consisting of trapping or tarpitting connection attempts. I agree that the idea of "actively" attempting to patch a machine is frought with legal issues.

More information on LaBrea Sentry can be found here.