Network Anti-Reconnaissance

Dan Petro

Tue, 19th February 2013

Speaker Bio 1:
By day, Dan "AltF4" Petro is a security researcher for DataSoft Corp, a small business in Tempe Arizona, where he focuses on developing open source tools for network security. He holds a M.S. in Information Assurance from Arizona State University where he studied network security and cryptographic protocols. By night, he is a rogue free software and privacy activist with a penchant for the dramatic. He is a lifelong hacker and member of the Phoenix 2600.

Reconnaissance on a network has been an attacker’s game for far too long, where’s the defense? Nmap routinely evades firewalls, traverses NATs, bypasses signature based NIDS, and gathers up the details of your highly vulnerable box serving Top Secret documents. Why make it so easy?

In this talk, we will explore how to prevent network reconnaissance by using honeyd to flood your network with low fidelity honeypots. We then discuss how this lets us constrain the problem of detecting reconnaissance such that a machine learning algorithm can be effectively applied. (No signatures!) We will also discuss some important additions to honeyd that we had to make along the way, and perform a live demonstration of our free software tool for doing all of the above: Nova.