Intrusion Deception: The 'Tar Trap' Approach to Web Application Security
Juniper's Mykonos Software goes on the offense with a novel approach against brute force authentication and directory traversal attacks.
The deception of one's enemies is a time-tested strategy that dates back to Sun Tzu's The Art of War. Applied to the context of web application security, "intrusion deception" software tricks hackers into thinking they are about to hit the jackpot -- when in fact they've simply been lured into a tar trap whose real purpose is to detect and disable their attack.
Mykonos Software's Web Intrusion Prevention System works by inserting bogus server files, forms, and URLs into web applications. Deployed in front of any website or web application, the software inserts the tar traps at serve time and never actually touches the application server. Normal users never see the traps, which can only be found by malicious hackers. The company claims that its technology can detect hackers with absolute certainty and zero false positives during the reconnaissance phase of the attack.
In a new release of Mykonos, the software is now going a step further with a series of new protections that make it even more difficult and time-consuming for attackers to go after two common attack vectors: directory traversal and brute-force authentication. The new release is the first since Mykonos was acquired by Juniper in February 2012 for $80 million in cash.
Directory Traversal? Check Out These Bogus Files
In a directory traversal attack, hackers run automated tools against a site -- trying to spider it and get a map of all the hidden files and directories that are present. The risk with this type of attack is that files that are normally not exposed can be discovered and mined for sensitive information such as passwords and configuration settings.
Kyle Adams, Chief Architect of Mykonos told eSecurity Planet that the risk of directory traversal is not something that a Google search would typically uncover. Adams explained that in a directory traversal attack, attackers have a list of common files names that are searched for with a custom tool. These are files that are not linked anywhere else in the site and could include items that are not intended for public disclosure.
"What we're doing is identifying people that are probing for random files that don't exist," Adams said. "Once we identify the attacker, then the Mykonos system responds back that the files do exist."
Since the tool is recursive, it would send the attacker on a feedback loop that could last forever. So if the attacker is looking for an admin file they will find a bogus file created by Mykonos that goes nowhere.
"Google will only spider resources that are referenced from the site," Adams said. "Google will not say there is a readme file if it's not referenced anywhere, whereas that hacker tool will pick that file up."
Legitimate searchers are not likely to be requesting a large number of files that don't exist, which limits the risk of blocking real users. The Mykonos system identifies the malicious directory traversal attempt based on the number of attempts.
Brute Force? Your Inputs Have Been Changed
The other improvement to the Mykonos system is with new brute-force authentication protection. In a brute-force attack, the attacker tries to gain unauthorized use to a system or application by trying out myriad passwords until one works. The traditional way that security systems have dealt with brute-force attacks is by blocking IP addresses based on the number of bad password entries. The Mykonos approach is a bit more devious and is designed to confuse the attacker and waste their time and resources.
The Mykonos system looks for failed logins to specific accounts. For example, if someone tries to login as Joe Smith five times and provides the wrong password, the system will serve up a CAPTCHA. The CAPTCHA is the first step and then if the attacker figures out how to get around the CAPTCHA, Mykonos has a layer of defensive deception.
"At a certain point, when we see that a particular user has failed to login a certain number of times, we say that from that point forward, for anyone that tries to login to that particular user, we'll mess up the password," Adams said.
So if the attacker attempts to login to the Joe Smith account with the password Joe123, the Mykonos system will actually change the input to be something else. As a result, when the attacker submits a password, it will come back as invalid, even if they submitted the correct password.
"So someone that is doing a brute force attack, they will have to test every possible combination of passwords and even if they guess it correctly the response will come back as invalid," Adams said. "That's pretty effective against brute force attacks."
While the Myknos system is not technically defined as a Web Application Firewall (WAF), the new release now supports WAF signatures as well. Adams noted that Mykonos now support the open source mod_security WAF ruleset. With the mod_security rules, Mykonos will also be able to block known web application threats.
Moving forward, the Mykonos software is still in the process of being integrated into Juniper's larger overall portfolio of solutions. Adams noted that they are still figuring out the different API and integration points.
By Paul Rubens
May 30, 2012
All-in-one security appliances deliver comprehensive protection and easy manageability for small to mid-sized organizations.