Honey Infiltrator: Injecting Honeytoken Using Netfilter

Abstract

Deception based cyber security is already well-established in form of honeypots, honeytoken and moving target defense. With these techniques, attacks can be detected, slowed down or prevented. Many techniques to deploy such deception measures have been researched. In this paper, a novel technique is proposed, where honeytoken are deployed in application traffic through a layer 2 network bridge. This way its functions similarly to a reverse-proxy, but is ’invisible’ in the sense that it does not need its own network address. This makes the installation and integration easier, and does not require any alteration of existing systems in the network. This functionality is made possible by the use of various modifications to the iptables firewall on the network bridge and libnetfilter queue and Scapy for capturing packets and passing them to the user space for processing. In this work a proof of concept implementation for injecting decoy web pages into TCP traffic is presented. Thereby it is shown that both simple and complex modifications or inventions of TCP packets on the network bridge are possible. Existing packets can be modified, for example by adding a HTML comment to the response of a requested HTML webpage, and decoy HTML pages can be created.