Degreaser is a tool to detect network tarpits, also known as "sticky honeypots," via active probing/fingerprinting. Currently, degreaser can reliably detect instances of LaBrea and iptables tarpit. Degreaser is currently under active development; please contact us for details or more information.

Why:

Among available network security defenses is the class of deceptive network strategies. More advanced deception includes not only providing a believable target, but actively influencing the adversary through deceit. Degreaser permits detection of network tarpits. We wish to understand how tarpits influence network measurement studies, and advance the realism of current network tarpits, thereby raising the bar on tarpits as an operational security mechanism.

Code:

• Degreaser: A network scanning tool to detect tarpits.
  • degreaser source on GitHub
• Degreaser-iptables: A set of iptables-modules used to detect and avoid network tarpits.
  • degreaser-iptables source on GitHub

Output:

• Uncovering Network Tarpits with Degreaser
  Lance Alt, Robert Beverly, and Alberto Dainotti
  Proceedings of Annual Computer Security Applications (ACSAC) Conference,
  New Orleans, LA, December 2014 (to appear).
• Degreaser
  Lance Alt and Robert Beverly
  CAIDA Topology Workshop, May 2014
• A Technique for Network Topology Deception
  Samuel Trassare, Robert Beverly, and David Alderson
  Proceedings of the Military Communications Conference (MILCOM 2013), San Diego, CA, November 2013.

Who:

• Lance Alt (NPS)
• Robert Beverly (NPS)
• Alberto Dainotti (UCSD/CAIDA)

Abuse:

We periodically probe large portions of the IPv4 Internet in a randomized fashion. These probes involve establishing the TCP three-way handshake (e.g. sending TCP SYN and SYN-ACK packets), terminating the TCP connection with a FIN, sending upto 19 bytes of data, and performing TCP window probing. While the exact sequence of probe packets varies (see our ACSAC paper for the full algorithm), in the common case we send only a single packet to a given IP address, and at most six packets. If you have received a degreaser probe from us and do not wish to be probed, please contact us with your netblock and we will add you to our do-not-probe list.

• DHS S&T CyberSecurity BAA 11-02