As a recent ACM Queue article observes the evolution of computer language is toward later and later binding and evaluation. So while one might quibble about the virtues of Java or the CLI (also known as microsoft.net) it seems inevitable that more and more software will be written for or at least compiled to virtual machines. While this trend has many virtues, not the least of which is compatibility, current implementations have several drawbacks. However, by cleverly incorporating these features into the OS, or at least including support for them, we can overcome these limitations and in some cases even turn them into strengths.

Denial of service (DoS) attacks aim to take down Web servers and other Internet resources, often by swarming them with repeated requests, which knocks them out. LaBrea is honeypot software that cooks up a fake machine with virtual ports with virtual vulnerabilities for a cracker to play with.

A honeypot is software that attracts hostile activity by masquerading as a vulnerable system. While it’s running, the honeypot gathers information about attackers and their techniques and patterns. Honeypots distract crackers from more valuable machines on a network, and provide early warning about attacks and exploitation trends.

LaBrea was conceived in the aftermath of the Code Red worm attack in July 2001, when software developer Tom Liston posted an idea on the INTRUSIONS list at incidents.org for a means of combatting the constant scanning of his IP addresses and ports. A port scan is a method used by crackers to determine what ports are open or in use on a system in a network. By using various tools a cracker can send data to TCP or UDP ports one at a time. Based on the response received the port scan utility determines if that port is in use. The cracker uses this information to focus his efforts to exploit weaknesses on the ports that are open.

Liston’s idea got a positive response from Mihnea Stoenescu, who used a modified version of a comprehensive security program called Couic. Tom hacked Couic for his purpose and called it CodeRedneck. He further improved CodeRedneck to fake machines with fake vulnerabilities — in essence creating the honeypot which he now called LaBrea.

LaBrea keeps a watch to see if someone is trying to find a free IP address on your network. LaBrea looks for address resolution protocol (ARP) requests without any ARP replies to see whether that IP is in use. When LaBrea sees this behavior it assumes this is a cracker port-scanning your system, and creates an ARP reply with a bogus MAC address and sends it back to the requester. This helps determine the IP address of the port scanner.

LaBrea then listens to all incoming traffic to the bogus MAC address it just created. To convince the attacker that he is talking to a real machine, LaBrea allows TCP connections. The cracker sends an SYN (synchronize) packet, which is acknowledged with a SYN/ACK (acknowledgment). You can configure LaBrea to keep track of its activity in a log file or display it on your screen.

Please note that there are legal implications in some countries for using honeypots. For instance, some countries have laws against wiretapping, and in one sense, implementing a honeypot can be seen as a serious violation of wiretapping law [why?].

Setting it up

If the law doesn’t deter you, it’s easy to try LaBrea. Download it, and make sure your system also has libdnet, on which LaBrea is dependent.

As root, first install the libdnet RPM:

rpm -i libdnet-1.7-0.1.fc2.dag.i386.rpm

Next extract the LaBrea tarball and install it:

tar -zxvf labrea-2.5-stable-1.tar.gz
cd labrea
./configure --wth-libdnet=/usr
make
make install

LaBrea also needs to be run as root.

LaBrea has lots of switches. Understand which ones to use for better results. For instance:

labrea -i eth1 -o -v -z

This invokes LaBrea in the verbose (-v) mode sending all the log info to stdout (standard output) instead of syslog (-o). To specify which interface LaBrea listens to, specify the -i switch. The -z option turns off nag messages that your LAN cards might not support.

Testing the setup

To test your new software, find a machine on your network and try to ping an unused local IP address. After three ‘Request timed out’ messages you should start getting a response. You can increase or decrease the time period that LaBrea takes to respond using the -r switch.

On the machine you just set up, you’ll see the IP address of the machine from which the ping originated.

Now for the real stuff. Run Nessus on a free IP address. It’ll find the address as valid. On my network it reported security holes and security warnings on my unoccupied IP! Nmap showed more than 2,000 open ports and the services running on the virtual machine!

A honeypot like LaBrea is a useful security tool that complements intrusion detection systems and firewalls.

Mayank Sharma is a freelance technology writer and FLOSS migration consultant in New Delhi, India.

– Write for us – and get paid! –

NewsForge has determined that The SCO Group, which purports to have ownership of all Unix System V code, was actually fishing for usage of its proprietary code in Linux systems when it filed a lawsuit March 3 against multinational automaker DaimlerChrysler. The lawsuit alleged only that DaimlerChrysler had not recertified with SCO Group the use of its old Unix code, as required by the original 1990 contract between Chrysler Motors Corp. (now DaimlerChrysler) and AT&T Information Systems (which owned the Unix code at that time).

In fact, DaimlerChrysler proved that it had complied with the original contract by certifying its use of Unix System V code with SCO Group 11 weeks (on April 6, 2004) before Michigan Judge Rae Lee Chabot’s dismissal of most of the case on July 21. DaimlerChrysler IT manager Norman Powell did this by attesting that no SCO-owned code had been used in DaimlerChrysler’s shop for more than seven years, thus there were no CPUs to be counted. (With thanks to Pam Jones at Groklaw, see DaimlerChrysler’s Motion for Summary Dismissal, dated April 15, 2004.)

DaimlerChrysler: Full compliance with agreement

“DaimlerChrysler has provided SCO with a certification that complies with the express requirements of Section 2.05 (of the original contract with AT&T Information systems),” the company said on Page 24 of its 54-page Motion for Summary Dismissal. “Specifically, the DaimlerChrysler letter provides SCO with the required information about Designated CPUs (explaining that none are in use); certifies that an authorized person reviewed DaimlerChrysler’s use; and states that no software product licensed under the subject agreement is being used or has been used in more than seven years, and as a result, there is full compliance with the provisions of the subject agreement,” DaimlerChrysler said.

SCO Group then accepted DaimlerChrysler’s certification response, company spokesman Blake Stowell told Newsforge. In effect, an out-of-court agreement was reached, although it was not made public. At this point, SCO Group could have dropped the litigation, but its counsel elected not to do so.

“We’re satisfied that DaimlerChrysler did finally certify their compliance with the existing software agreement,” SCO Stowell said.

Then why didn’t SCO Group drop the suit, after its customer (DaimlerChrysler) offered its explanation of compliance on April 6?

“One of the reasons our lawyers decided to pursue the case is that I think they wanted to investigate further whether DaimlerChrysler had any possible misuse of our code within Linux in their systems,” Stowell said on Monday.

However, the SCO lawyers’ plan backfired when Judge Chabot stuck to the letter of the contract, which dealt strictly with certification of Unix System V code usage. As it turned out, DaimlerChrysler “was not obligated to tell us anything about their use of Linux,” Stowell said.

More litigation to come?

Will SCO Group continue its investigation into whether DaimlerChrysler is somehow misusing proprietary Unix code in its Linux systems?

“I don’t know,” Stowell said. “I can’t answer that. It’s up to our lawyers.”

For this particular case, SCO Group retained the Southfield, Mich., firm of Seyburn, Kahn, Ginn, Bess and Serlin. A call to case lead attorney Joel Serlin Monday afternoon was not returned to NewsForge.

Detroit-based DaimlerChrysler spokeswoman Mary Gauthier, who did not return calls requesting comment today, told ComputerWorld on July 21 — the day of the judgment — that “we are pleased with the judge’s ruling, and we look forward to finally resolving the one open issue.”

Stowell said he does not believe SCO Group will pursue the final point in the Michigan case that is still open — that SCO Group wants to know why DaimlerChrysler didn’t respond to the certification request in a reasonable amount of time.

In fact, DC responded to SCO on April 6 — about a month after the lawsuit was filed — explained its legal point of view, and offered certification information. This information is all included in the motion filed on April 15. That meant DaimlerChrysler took about three and a half months to respond to SCO’s first letter on Dec. 18, 2003 requesting an accounting of its Unix System V code.

Bob Findlay writes

“Back in December iCanProgram.com announced that it would be offering its
online “Introduction to Linux Programming” courses without fees in return
for a voluntary donation to Cancer Research by the participants. These donations were made in memory of one of our founding partners who lost her own battle with Cancer last summer.

This “learning for charity” formula has been a success far beyond our expectations. We have now offered our courses under this format to over 350 students worldwide.

For those of you who missed out the first time round there are still openings in the 2 remaining courses that will be offered in the 2002 spring session.

The 02 Apr edition of the

Introduction to Linux Programming course has room.

The 02 Apr edition of our newest advanced Linux Programming course titled

Linux Programming the SIMPL way
has room as well.

m as well.

Thanks once again to all those who have participated so far and given so generously to the cause of fighting Cancer.”

From Earthweb Networking and Communications:
“This article is a followup to an article entitled The Myth of Open Source Security Revisited. The original article tackled the common misconception
amongst users of Open Source Software(OSS) that OSS is a panacea when it comes to creating secure software. The article presented anecdotal evidence
taken from an article written by John Viega, the original author of GNU Mailman, to illustrate its point. This article follows up the anecdotal
evidence presented in the original paper by providing an analysis of similar software applications, their development methodology and the frequency of
the discovery of security vulnerabilities.”

Anonymous Reader writes “In a long interview, Miguel de Icaza discusses everything from why he thinks .NET is a good idea to the reason .GNU and Mono are at odds to the importance of Linux in third-world countries (and the future of Linux in general) to what makes programmers tick.”

From Avogato: “Apparently Compaq/Digital have been working on something called Vesta, a configuration management system, for about 10 years. It’s been ported to Linux and LGPL’d. It’s quite a bit different from CVS/etc.”

Slashdot readers discuss a shootout at NetworkComputing.com comparing free, Open Source Darwin Streaming Server to Real and Windows Media. The Slashdot intro says Darwin Streaming Server “edged out costly and closed source Windows Media & RealVideo streaming systems. Well, it edged out Real. It blew Microsoft away.”

LinuxPlanet has the review: “Bynari software’s new InsightConnector is a Windows-side utility that does the magic necessary to enable any IMAP4 (Internet Mail Access Protocol, Version 4) mail server to look and work like an Exchange mail server, supporting Outlook email, calendaring, scheduling, and related message traffic. The deep dark secret of Outlook calendaring is that it’s all done using specially formatted email messages under the covers.”

ComputerWorld .com has a story talking about two recent security vulnerabilities related to Linux. Analysts and corporate IT types say the security issues don’t change their minds about the general security of Linux. One manager of network services said “he found the Linux community to be far more responsive than traditional, proprietary operating system vendors when security issues have cropped up, issuing fixes and patches quickly and publicly.”