Chaostables is a recently
code that provides a means to confuse an nmap
The author, Jan Engelhardt, has provided these capabilities as
both netfilter modules for Linux 2.6.18-20 and as iptables
He has an excellent
of what he is trying to accomplish and how he does it, as well.
Utilities like nmap (described in an LWN
article last year) are often
used by those with malicious intent to discover available hosts, open ports,
OS versions, and the like to help target their attacks. Chaostables seeks
to generate confusing results to these probes. To that end, Engelhardt
has derived a set of behaviors that correspond to these types of scans and
a set of rules to detect and deflect them.
Since 2.4, the standard way of doing Linux packet filtering is by using
the iptables utility which provides a userspace interface to the
netfilter kernel modules.
Netfilter provides a set of kernel hooks for
examining and manipulating network packets and is the framework for
Linux firewall implementations. Administrators define rules that identify
particular kinds of packets and specify what to do with them; those rules
are ordered and collected into chains which are then grouped into
tables. All of this packet policy can then be pushed into the kernel
via the iptables utility.
The chaostables rules start with dropping some ICMP packets that could
reveal the existence of the host and then start concentrating on the kinds
of packets sent by scanning utilities. Techniques like TCP stealth, SYN,
connect and grab scans are detected and dropped to attempt to hide the
host while still allowing 'real' network traffic. These
rules are then rolled up into the 'portscan' netfilter module in order
to reduce the complexity of the chains that need to be installed.
A second kind of chain provides ways to disguise the underlying system
by making Linux appear to be another OS entirely.
Network scanning utilities often try to throttle their scans when they detect
a system that limits the number of ICMP or RST packets sent per second.
Linux is not one of those kinds of systems, but the CHAOS chain makes it
look as if it is by limiting RST and ICMP packets to two per second.
It also uses the 'random' netfilter rule to generate negative responses
on closed ports only some of the time. The
net effect is that the scanner will get inconsistent results, sometimes ports
will appear closed and sometimes not with the added bonus of potentially
slowing down the scan.
The CHAOS chain can be combined with the
TARPIT chain to
cause ports to appear to be open when in fact they are not. This can slow
down a network scan as it attempts to elicit additional information from a
seemingly open port. The TARPIT chain can consume router and/or firewall
resources by appearing to be an open connection, so chaostables provides the
DELUDE chain. It will make ports appear to be open on an initial connect
(SYN), but revert to their true closed state for any additional traffic.
Chaostables is quite an interesting use of the netfilter technology and
probably uses it in ways that the authors never expected. It may
be that only the most paranoid of system administrators will want to implement
these chains, but they will be available if needed. In addition,
the techniques and code provided in the package are very useful as examples
for other applications.
to post comments)