deceptive defense - wear down the attackers and all their port scanners and so forth
	Copyright (c), 1998, Fred Cohen - All Right Reserved

NOTICE: By taking this copy, you agree that all updates and modifications
will be reported back to us, that you will only use it to defend systems and
not to figure out how to attack them, that we retain all right to the
software provided to you and any revisions, enhancements, or derivitive
works that may result from it, that you will retain all copyright notices on
all copies you distribute elsewhere, and that anyone you give it to will
also agree to these terms. 

Configuring, installing, and otherwise setting up DTK is described in the
download.html file that comes with DTK.

dtk - Deception TooKit

Level 1:
	At the outer edges, place sterile male bees to catch the honey hunters

	A program on every port that:
		emulates the legitimate service without providing it
		is secure against attacks including denial
		gives the appearance of success for a little while
		provides indications and warnings information and logs attempts

		Example: tftp
			responds to get /etc/passwd with a fake password
			file - when decrypted via Crack, either yields
			complex passwords that don't work - OR
			passwords that tell the attacker they have been had
			sends details of all attack attempts to a log file
			alerts system/network admins to activities

		Example: sendmail
			responds to all known sendmail attacks by imitating the
			fault while actually providing no such service. The
			users uses POP to get things from a remote server.
			sends details of all access attempts to a log file
			alerts system/network admins to activities

Level 2:
	Within the system, every repaired flaw generates a detection routing which
	also cuts off the attacker (or places them in a chroot environment)

		Example: buffer overrun protected by a wrapper - if the
			wrapper input size limit is exceeded, it generates a
			log of the attempt and puts the user into a chroot
			play world from now until they talk to the admin
			alert admins to attempt

Level 3:  Within a business function, reports cross between related
	computers at high(er) frequency that unrelated systems and response
	reflects the current threat environment.

------------------------------------------------------------------
			RESTPONSE FILES
file names:
	23.response	to respond to telnet
	nnn.response	to respond to port nnn

formats for response files:

tab separated fields as follows:

Comments:
	# anything in a line starting with a # is a comment

Orders:
	!	variable	value	comments
	sets $variable=value in program for timeout, maxloops, debug

State machine:
	# anything is ignored as a comment
	State	!	Nextstate Continue Operation Stimulus Response	Match STIMULUS -> response
	State	!O	Nextstate Continue Operation Response		Match One Time Password -> response
	State	!A	Nextstate Continue Operation Response		Match Algorithmic Identification -> response
	State	M!patternmatch!	Nextstate Continue Operation Response	Match patternmatch -> response
	State	/patternmatch/	Nextstate Continue Operation Response	Match patternmatch -> response
	State	word	Nextstate Continue Operation Response		Match first word -> response

	State	Input	NexStat	Continue	Operation	Response

	State:		name of state (I use 0, 1, etc. but strings are allowed. Always start at 0

	Input:		all lower case EXCEPT for START, ERROR, NIL, NOTICE, and ! which are special cases

	Next State:	 name of the state to go to after doing this output

	Continue:	0 for exit - 1 for remain operating

	Operation:	default	= print the response with no trailing <crlf>,
			1	= print the response and adds a <crlf>,
			cat	= output from the file specified in the response field
			-echo	= echo response and turn off echo
			+echo	= echo <CRLF>response and turn on echo
			@	= start new response profile from next field
			exec	= exec a process (login for example)
			infocon	= List the Infocon states and times
			special	= special coding for altered states
				for example, special in.telnetd	allow	allows telnet from the current IP
				for example, special in.telnetd	deny	denies telnet from the current IP
				for example, special all	deny	denies all from the current IP

	Response:	the output

	Exceptions:	State NOTICE program-name arguments
				runs program-name with arguments to notify administrators of events
				unlike everything else, this is done upon entry into state - before input

			State ! NexStat Exit lf/file match-for action
				if match-for appears anywhere in the input line, do the rest

			State /reg-exp/ NexStat Exit lf/file action
				if the reg-exp regular expression matches anything in this liput, trigger

A mild example comes from a fake port 25 program:

# State	Input	NexStat	Exit	lf/file	output/filename
# comment lines start with the pound sign (#)
# we are faking sendmail version 8.1.2/8.1.3
!	timeout		30	# 30 second timeout per command
!	maxloops	15	# 15 commands at most
0	START	0	1	1	220 all.net ESMTP Sendmail 8.1.2/8.1.3;
0	ERROR	0	1	1	500 Command unrecognized - please say "Helo"
0	help	0	1	1	214-No help available
# if they say helo, we acknowledge and go to state 2
0	helo	1	1	1	250 all.net, pleased to meet you
0	quit	0	0	1	221 all.net closing connection
# if you don't get anything - just ignore it and wait
0	nil	0	1	0
# we got a Helo request
# it contained something with /etc/passwd in it - let's simulate a big hole
1	!	4	1	cat	/etc/passwd	@fake.passwd
# this regular expression matched something in the input line - let's simulate a big hole
1	/cat\spasswd/	4	1	2	@fake.passwd
1	mail	2	1	1	250 proceed
1	rcpt	1	1	1	500 Must say "HELO" first
1	help	1	1	1	214-No help available
1	quit	1	0	1	221 all.net closing connection
1	nil	1	1	0	
1	ERROR	1	0	1	500 Server Configuration Error - all.net closing connection
# even a rcpt - this guy's good!!!
2	rcpt	3	1	1	250 proceed end with a '.'
2	help	2	1	1	214-No help available.
2	quit	2	0	1	221 all.net closing connection
2	nil	2	1	0	
2	ERROR	2	0	1	500 Server Configuration Error - all.net closing connection
# getting mail - what do I do?!?!?
3	nil	1	1	1	500 Mailbox full - please start again
3	ERROR	3	0	0	500 Server Configuration Error - all.net closing connection
# I sent them a password file - better notify the authorities
4	NOTICE	/dtk/notify.pl	Email	fc@all.net Just sent a password file to an attacker - sendmail exploit
4	NIL	0	1	1	214-Unknown configuration error
4	ERROR	0	0	0	500 Server Configuration Error - all.net closing connection

------------------------------------------------------------------
		HOSTSERV FILE

The HostServ file specifies actions associated with ports for IP addresses
in a similar way to how TCP-wrappers operates.

HostServ file format:

	Service		Host-Spec	Action

	Service:= Port number of the affected service[s]
		specified as a series of comma-separated reular expressions
			regex,regex,regex,...

	Host-Spec:=IP address(es) of the affected host[s]
		specified as a series of comma-separated reular expressions
		regex,regex,regex,...

	Action:=What to do if this case occurs to wit:
		DTK		run default DTK service for port (nnn.response)
		/etc/in.telnetd	run /etc/in.telnetd (anything starting with '/')
		nnn.response	run DTK responder for port nnn

	# Comment lines start with '#'

	The following line is appended to whatever file you provide:
		.*	.*	DTK
		which implements DTK on all ports for all IP addresses

An example may be helpful:

# This is a sample HostServ file for DTK

#Service		Host-Spec			Action

# incoming email from 1.2.3.* EXCEPT 1.2.3.4 runs sendmail - others get deception
# 4.3.2.2 gets telnet deception on incoming email port (a bit strange)
25			1.2.3.4				DTK
25			1.2.3.*				/var/adm/sendmail
25			4.3.2.2				23.response
25			.*				DTK

# allow 1.2.3.4 and 4.3.2.1 to use telnet, others get deception
23			1.2.3.4				/var/bin/in.telnetd -s
23			4.3.2.1				/var/bin/in.telnetd -s
23			.*				DTK

# all previously unspecified  services from 1.2.3.4 or 101.202.303.404 run /dtk/deception
.*			101.202.303.404			/dtk/deception
.*			1.2.3.4				/dtk/deception

The HostServ file is loaded at the startup of each deception port's daemon.
This means that if you change the HostServ file you need to restart the
daemon for any affected ports before those changes will take effect on those
ports. In implementation, the HostServ file is read once at startup, lines
not relating to the port this daemon is running are thrown out, and aech time
an incoming port causes a process to be forked, the HostServ table is checked
sequentially to decide what to do.
