Security: Deception Tool Kit
Deception Tool Kit
The Deception Tool Kit (DTK) is available from http://www.all.net/dtk/dtk.html.
Whether or not this is a security tool is a matter of some
argument. The premise of it is that rather than silently shutting
off attackers by providing no service at dangerous ports, you
instead provide them with misleading and incorrect information. For
example, an attack on the POP3 server might indicate that root has
one message, and if that message is retrieved, it explains that
mail services are presently erratic, and advises them to check back
later. An attack on sendmail requesting the passwd file responds
with a fake passwd file, and so on. Services can be set so that
they appear to produce a core dump, etc. All of this is handled by
a scripting language, so you can tailor your site individually.
Is this a good thing? Some think so, but others disagree
strongly. The author has published both positive and negative
comments at the web site above, and there is enough material there
to get you thinking, anyway.
One of the more interesting aspects of this is that you can
optionally turn on the "dtk" port (365). Access to that port will
then return a text string that warns that DTK is active. The string
identifies your system (though it doesn't have to tell the truth-
in testing this I had my system claiming to be a Linux machine!)
and is supposed to warn intruders that you are running DTK. Of
course, you might not be- and that's part of the idea, to increase
the FUD (Fear, Uncertainty and Doubt) factor. Hackers might not
waste time if they aren't sure whether the responses to probes are
real or faked. But enabling that is, of course, optional: and that,
too, is part of the uncertainty.
DTK can work in conjunction with tcp wrappers or simply by itself (on
ports you would otherwise shutoff entirely). Or you could mix
things up, shutting off most things, but setting DTK traps on
others. If you do decide to use this, and aren't going to advertise
the use on port 365, I'd suggest that you modify the response files
so that it at least isn't immediately obvious that it is in use.
Even if you do advertise, you should do this so that it is harder
to tell which services are real and which are fake. You should also
carefully read the negative comments at the web site. To my mind,
one of the most dangerous actions is returning a fake passwd or
shadow file based on the users in your real file (that's the
default). In my opinion, any real information about your site
increases your vulnerability. There's also the possibility that DTK
itself might be hacked (though we do, of course, run that risk with
everything), and that you might accidentally be opening a door to
your system that would have been better left closed.
On the other hand, you usually cannot close everything, or at
least you can't have a very useful system that way. So, perhaps
sprinkling a little deception here and there might at least
momentarily confuse and slow down an attack. As DTK also logs all
activity, that delay might give you the opportunity to prevent the
As I said at the outset, there is opinion on both sides of this.
I'd have to say that at the moment, I personally lean toward
careful and judicious use of this on a limited basis, but I'm
hardly a security expert, so consider that opinion as less than
Sometimes we do this by accident
On a modern Linux machine, /etc/services would show
linuxconf 98/tcp # Linuxconf HTML access
A current OS X box shows
tacnews 98/udp # TAC News
tacnews 98/tcp # TAC News
So what is TAC news? According to WHAT-NIC.TXT, it is:
TAC Info offers login help for DISN Comm Server and TAC users, including the
list of Comm Server and TAC dial-up numbers.
DISN is Defense Informaiion Services Network, the U.S. Department of Defense infrastructure network.
So, someone scanning port 98 and finding it either thinks you are running Linuxconf over HTTP and hopes to exploit it or thinks you are part of the DOD and are running TAC News. Both of those are probably unlikely.
Got something to add? Send me email.
Increase ad revenue 50-250% with Ezoic
More Articles by Tony Lawrence
Find me on Google+
© 2012-07-22 Tony Lawrence