The Deception Tool Kit (DTK) is available from https://www.all.net/dtk/dtk.html.
Whether or not this is a security tool is a matter of some argument. The premise of it is that rather than silently shutting off attackers by providing no service at dangerous ports, you instead provide them with misleading and incorrect information. For example, an attack on the POP3 server might indicate that root has one message, and if that message is retrieved, it explains that mail services are presently erratic, and advises them to check back later. An attack on sendmail requesting the passwd file responds with a fake passwd file, and so on. Services can be set so that they appear to produce a core dump, etc. All of this is handled by a scripting language, so you can tailor your site individually.
Is this a good thing? Some think so, but others disagree strongly. The author has published both positive and negative comments at the web site above, and there is enough material there to get you thinking, anyway.
One of the more interesting aspects of this is that you can optionally turn on the "dtk" port (365). Access to that port will then return a text string that warns that DTK is active. The string identifies your system (though it doesn't have to tell the truth- in testing this I had my system claiming to be a Linux machine!) and is supposed to warn intruders that you are running DTK. Of course, you might not be- and that's part of the idea, to increase the FUD (Fear, Uncertainty and Doubt) factor. Hackers might not waste time if they aren't sure whether the responses to probes are real or faked. But enabling that is, of course, optional: and that, too, is part of the uncertainty.
DTK can work in conjunction with tcp wrappers or simply by itself (on ports you would otherwise shutoff entirely). Or you could mix things up, shutting off most things, but setting DTK traps on others. If you do decide to use this, and aren't going to advertise the use on port 365, I'd suggest that you modify the response files so that it at least isn't immediately obvious that it is in use. Even if you do advertise, you should do this so that it is harder to tell which services are real and which are fake. You should also carefully read the negative comments at the web site. To my mind, one of the most dangerous actions is returning a fake passwd or shadow file based on the users in your real file (that's the default). In my opinion, any real information about your site increases your vulnerability. There's also the possibility that DTK itself might be hacked (though we do, of course, run that risk with everything), and that you might accidentally be opening a door to your system that would have been better left closed.
On the other hand, you usually cannot close everything, or at least you can't have a very useful system that way. So, perhaps sprinkling a little deception here and there might at least momentarily confuse and slow down an attack. As DTK also logs all activity, that delay might give you the opportunity to prevent the next attack.
As I said at the outset, there is opinion on both sides of this. I'd have to say that at the moment, I personally lean toward careful and judicious use of this on a limited basis, but I'm hardly a security expert, so consider that opinion as less than well-informed.
On a modern Linux machine, /etc/services would show
linuxconf 98/tcp # Linuxconf HTML access
A current OS X box shows
tacnews 98/udp # TAC News tacnews 98/tcp # TAC News
So what is TAC news? According to WHAT-NIC.TXT, it is:
TAC Info offers login help for DISN Comm Server and TAC users, including the list of Comm Server and TAC dial-up numbers.
DISN is Defense Informaiion Services Network, the U.S. Department of Defense infrastructure network.
So, someone scanning port 98 and finding it either thinks you are running Linuxconf over HTTP and hopes to exploit it or thinks you are part of the DOD and are running TAC News. Both of those are probably unlikely.
Got something to add? Send me email.
More Articles by Tony Lawrence © 2012-07-22 Tony Lawrence