ITEC 230 Lab 3

Installation and Configuration of LaBrea:

The “Sticky” Honeypot

Jeff Meadows
Executive Overview
 For system administrators of the 21st century, the largest and most
persistent security threat to their networks is and has continued to be the
public Internet. Allowing their users Internet access while maintaining a safe
environment for internal computer networks has become a constant
paradox: an increase in interconnectivity and resource access also means
more potential security holes for attackers to exploit. Firewalls and Intrusion
Detection Systems have helped to lessen this conflict by managing
Internet/network access more intelligently, but security minded sysadmins
are constantly looking for better methods to outwit and outhack those who
would attack their networks.

Recently, more and more attention has been focused on the usage of
specialized computers/network systems known as honeypots. Honeypots are
set up to look enticing to attackers, yet are completely non-functional: they
act as a decoy to draw attention away from actual systems such as web/mail
servers or protected internal networks. In addition to their distraction factor,
honeypots are also capable of monitoring and logging attacker activity for
review by the system admins: this allows the admins to gather information
about attackers and adjust security measures to block them more efficiently.

In this report, I will explain the theory, operation, and deployment of

LaBrea, an unconventional yet extremely clever application of the honeypot
concept. LaBrea is a piece of software targeted at slowing and indefinitely
tying up incoming port scans by manipulating loopholes in the TCP protocol:
this causes the port scans in question to bog down and wastes valuable
attacker time and resources.

Deploying small, low-powered systems with LaBrea on a network can

greatly reduce the amount of traffic generated by port scanners, as well as
helping in identifying where, when, and from whom these attacks occur. Due
to the overwhelming amount of port scanning most networks now receive,
unconventional approaches such as LaBrea can be a welcome addition to a
secure network’s list of security measures.
 LaBrea Installation and Deployment
The LaBrea software can be installed on most Linux/Unix distributions,
as well as older versions of Windows (XP/ Win 98). If installed on a Windows
machine, WinPcap must also be installed: LaBrea uses it to packetsniff and
find the ARP requests that it needs to virtualize machines. Linux users not
worry about this if they use Ubuntu/Debian repositories: the LaBrea
packages there are configured to also download libdumbnet1, which handles
packetsniffing/spoofing functionality.

Before installing LaBrea, system administrators should give thought as

to where the machine running LaBrea should be located on the network, as
this can have effects on the functionality and abilities of the IP-capturing
features LaBrea uses. It is highly recommended to ensure that the machine
running LaBrea be located on the same physical subnet that is to be
protected: the software should (if feasible) be located on a dedicated server
attached to the same switch/switches that the subnet to be protected uses
(low-power machines are fine; LaBrea is not a resource-intensive program). If
this is not possible LaBrea can also be installed on the server/machine used
to host firewalls and Intrusion Detection Systems, but care must be taken to
ensure that LaBrea is set to capture the correct network. So long as the ARP
requests the switch puts out can reach LaBrea’s machine, the software
should work as designed.

*Note: Before attempting any install of the LaBrea Tarpit/Honeypot

software, it is strongly recommended to read the Readme and Install files
that come with LaBrea (these have been included in the technical appendix).
LaBrea requires certain versions of WinPcap (v2.3, not v3.0) if it is to be run
on Windows, and requires both libdnet and libpcap to compile in a Unix
environment.*

Installation of LaBrea can be done with the apt-get command-line tool

(for Ubuntu/Debian systems), compiled from source, or with a Windows
executable application file. The source code folders and the Windows
executable can be found at Sourceforge:
http://sourceforge.net/projects/labrea/files/labrea/2.5-stable-1/. There is also a .rpm
file available for Red Hat/Suse systems. This report will focus primarily on the
installation of LaBrea from Ubuntu repositories using Apt, as this was how the writer
chose to install it. There are instructions for compiling LaBrea from source in the
Install file, should it be necessary.

Installing LaBrea using the apt-get command is as easy as installing any

other program: the simple command “apt-get install labrea” is enough to
begin the installation process. Superuser privileges may be necessary to
execute the command, and if there is any trouble locating the LaBrea
package try using “apt-get update” to ensure that your system’s package
index file is up to date (this can be necessary if packages get moved around
without your system’s knowledge).

LaBrea will also install several other packages it requires to run, namely
libc6, libdumbnet1, and libpcap. LibPcap is the Linux counterpart to WinPcap:
it enables packetsniffing. Libdumbnet, on the other hand, allows LaBrea
access to packet-manipulation abilities such as address spoofing. More
details on the LaBrea Ubuntu package can be found here:
http://packages.ubuntu.com/maverick/labrea.

After the apt-get tool has finished installing LaBrea, the administrators
of the network should thoroughly read the Man and Readme files. Once
installed, LaBrea must be run from the command line to take effect (this
provides administrators a chance to specify precisely how LaBrea should
operate, via command-line options). When being run, LaBrea must have
superuser privileges: failure to do so will result in the loss of several hours of
productivity trying to figure out why libdnet isn’t working (as you can
probably tell, the author knows this from experience). Before attempting to
run LaBrea as the command-line, it is recommended you fully research what
each option/switch does, and designed a customized command to fit your
network. More information is available in the Configuration section of this
report.

After running the LaBrea command, use the “ps –A” command to show
all the active processes on your machine. The process list generated is
usually quite long, so piping it into vi or gedit (any text editor with a search
function) should help. You should see something like this:

PID TTY TIME CMD

1? 00:00:00 init

2? 00:00:00 kthreadd

[…Redacted due to longness…]

 1737 ? 00:00:00 gvfs-gphoto2-vo

1741 ? 00:00:00 labrea

1750 ? 00:00:00 scsi_eh_2

This confirms that the LaBrea command was successful, and that LaBrea
is now running on your machine as an independent process.
*This document is a redacted version of the full Labrea report. Please contact
jeffkmeadows@gmail.com for a full version.*