Degreaser is a tool to detect network tarpits,
also known as "sticky honeypots,"
via active probing/fingerprinting. Currently, degreaser can reliably
detect instances of LaBrea
and iptables tarpit.
Degreaser is currently under active development;
please contact us for
details or more information.
Among available network security defenses is the class of deceptive
network strategies. More advanced deception includes not only providing a
believable target, but actively influencing the adversary through deceit.
Degreaser permits detection of network tarpits. We wish to understand
how tarpits influence network measurement studies, and advance
the realism of current network tarpits, thereby
raising the bar on tarpits as an operational security mechanism.
- Degreaser: A network scanning tool to detect tarpits.
- Degreaser-iptables: A set of iptables-modules used to detect and avoid network tarpits.
Uncovering Network Tarpits with Degreaser
Lance Alt, Robert Beverly, and Alberto Dainotti
Proceedings of Annual Computer Security Applications
New Orleans, LA, December 2014 (to appear).
Lance Alt and Robert Beverly
CAIDA Topology Workshop, May 2014
A Technique for Network Topology Deception
Samuel Trassare, Robert Beverly, and David Alderson
Proceedings of the Military Communications Conference (MILCOM 2013),
San Diego, CA, November 2013.
We periodically probe large portions of the IPv4 Internet in a
randomized fashion. These probes involve establishing the TCP
three-way handshake (e.g. sending TCP SYN and SYN-ACK packets),
terminating the TCP connection with a FIN, sending upto 19 bytes
of data, and performing TCP window probing. While the exact
sequence of probe packets varies (see our ACSAC paper for the
full algorithm), in the common case we send only a single packet
to a given IP address, and at most six packets. If you have received
a degreaser probe from us and do not wish to be probed, please
contact us with your netblock and we will add you to our