‘Decoy nets’ gain backers in battle against hackers

As hackers obtain ever more dangerous and easy-to-use tools, they are being countered by novel defense strategies. Witness the experimental idea of setting up a decoy network separate from your real one to fool intruders as they try to fool you.

This so-called “deception” network is envisioned as more than just a single server set up to be a “honeypot,” where hackers may break in, find a dead end and have their activities recorded with an eye toward prosecution. Rather, the decoy net is an entire fake network, complete with host computers on a LAN with simulated traffic, to convince hackers for as long as possible that it’s real.

Experts debate whether such nets will be worth the effort, but agree they can be a way to slow hackers long enough to sort the curious from the truly destructive.

A group calling itself The Honeynet Project has quietly begun testing decoy networks on the Internet and soon plans to publish a paper on how to build one.

According to Ed Skoudis, chief security strategist at Predictive Systems, the idea is the brainchild of Sun security consultant Lance Spitzner. “We set up honeypots to watch hacker activity,” said Skoudis, who participates in the invitation-only group.

The Honeynet Project is not intended to prosecute intruders who haplessly wander into their elaborate decoys, but to study hacker responses in depth in order to devise the best decoy defenses. There are only a few commercial honeypot-style products on the market, including Network Associates’ CyberCop Sting and Recourse Technologies’ ManTrap.

Other decoy networks do slow intruders with an eye toward collecting evidence to prosecute them, said Rusty Miller, an executive at Veridian Information Systems.

“To collect evidence, you need to divert the hacker to a deception network,” said Miller, who claims to have built deception networks for secretive government agencies. He said the idea is to feed back information about what hackers do to a kind of “deception central” for network administrators. “The time the hackers are dealing with a deception environment is time they’re not in your network,” he said.

It is possible to create a deception network that has the same IP network address as your real network, Miller said. He acknowledged deception nets carry obvious administrative burdens, such as the need to generate realistic traffic to fool a hacker and maintain a network no one really uses. He noted the risk that administrators will lose track of what’s real and what’s not.

These deception techniques have doubters. Steve Manzuik, security analyst at BindView, appreciates the work being done by The Honeynet Project and would like to contribute, but he remains skeptical.

“It’s not clear yet you can fool a lot of people with this deterrent,” he said.

Meanwhile, hackers continue to learn new tricks.

The past year has seen the emergence of a new breed of distributed port scanners and sniffers that make it easier for attackers to hide their intent, Skoudis said.

There’s now a kernel-level root-kit for Linux, called Knark, which when installed by hackers changes the operating system to hide files and present false information to administrators. And another new one, called Dsniff, can be used to capture traffic on Ethernet switches and inject traffic into a network to direct traffic to itself, known as the man-in-the-middle attack.

“It’s pretty nasty stuff,” Skoudis said. “For very sensitive networks, you may want to activate port-level security on your switches.”

Many tools that let hackers carry out surveillance are now Web-based, according to David Rhoades, director of systems engineering at AppGate. “Why Web-based? It’s easy. No complicated downloads or zip files. They can hack from anywhere, and it’s anonymous.”