From: dtk@all.net Reply-to: dtk@all.net Organization: Deception ToolKit Mailing List Subject: DTK Mailing List 19981212
--------------------------------------------- Date: Sat, 12 Dec 1998 01:28:31 -0500 From: Thomas H Jones IIdtk@all.net wrote: >From: sen_ml@eccosys.com > > i was wondering whether the following idea was doable/possible using > > dtk: > > > > -install dtk on a spare host (preferably unused for anything else) possible > > -bind all unused ip addresses to the spare host's nic rather straight forward, unless youre attempting to bind more IP's than normally allowed by file descriptor limits. In which case, youll have to tune the kernel to up the limit (and possibly reconsider why you have so many free IPs). > > -have the host 'behave' differently depending on which ip address it > > is addressed as -- to simulate the illusion of multiple different hosts. > > for differing ip addresses, can the host be made to appear as if it > > is running different os-s? or different versions of particular services? This is fairly easily done on a host running xinetd. xinetd is a dropin replacement for inetd, and allows you to bind services to different IPs. In fact, I used this on one system to provide one login environment for users coming in via one IP and another login environment for users coming in on a different IP. relatively straightforward to set up. [...] -tom --------------------------------------------- From: "Simson L. Garfinkel" Date: Fri, 11 Dec 1998 17:17:34 -0500 >[If anybody on the list knows how to do this without handling packets as > raw - please forward details and I will try to implement this - FC] It's pretty easy. You use the sockets library to get the IP address of the destination socket. I have working code. Used it in a network simulation system to make 1 machine look like 1000. --------------------------------------------- Date: Fri, 11 Dec 1998 17:29:44 +0000 From: "Bjarni R. Einarsson" > > -have the host 'behave' differently depending on which ip address it > > is addressed as -- to simulate the illusion of multiple different hosts. > > for differing ip addresses, can the host be made to appear as if it > > is running different os-s? or different versions of particular services? Hiding which OS you are using is going to be hard - tools such as queso are becoming more common all the time (queso recongizes 'quirks' from different OS's TCP/IP stacks). OTOH, someone recently posted to the Linux-kernel mailing list a list of patches to the Linux kernel which defeat queso, various port scanners not blocked by DTK, and does all sorts of other neat paranoid things - but you'll never be able to choose many IP stacks for the same machine.. Check: http://www.progressive-comp.com/~hlein/hap-linux/ > This is an idea I have played with but not yet implemented. It's fairly > easy to do in terms of the operation of DTK, but I think you have to do > something to inetd so that it doesn't assume one IP address. You also Check out the inetd alternative at: ftp://ftp.rtc-one.net/j/g2s/ [FC - I have looked at this and it looks reasonably comprehensive, but a bit hard to configure properly and somewhat complex. It is also quite Beta in that there may be lots of still unknown vulnerabilities in the server. Previous holes have been found and fixed. I have not examined the code yet.] IIRC this program combines the capabilities of inetd and tcpd into one, as well as adding some new features. I think one of the features was the ability to offer a different set of services on different IP addresses. This program has quite a long list of features that could definately come in handy for people using DTK or other things like it. It's still in development - so if DTK needs some specific support for it it should be possible to influence the author. Or, since it's GPL'ed it could be fixed.. It's also possible that xinetd has the functionality you are looking for. > have lots of problems with the IP stack I think, but I'm not yet sure. No, Linux at least and probably any other OS which support multiple IP addresses should handle this very nicely. ( Btw, FC, the @shell.response file in v0.8 still has the working directory hard-coded in. :-) [FC - refixed for the next distribution - the person building in the infocon levels was not aware of these changes.] --------------------------------------------- Date: Fri, 11 Dec 1998 09:37:44 -0700 (MST) From: Dax Kelson On Fri, 11 Dec 1998 dtk@all.net wrote: ... > [If anybody on the list knows how to do this without handling packets as > raw - please forward details and I will try to implement this - FC] tcpserver by Dan Bernstein is a replacement for inetd+tcpwrappers. It has support for binding to specific IP addresses. ftp://koobera.math.uic.edu/www/ucspi-tcp.html [FC - This server is limited to TCP only - but seems to operate on a lot of different systems] ---------------------------------------------