https://medium.com/sensorfu/scanners-beware-welcome-to-the-network-from-hell-86989f29f17b Open in app Sign up Sign in [ ] Write Sign up Sign in [1] Scanners Beware: Welcome to the Network from Hell Ville Ailunka SensorFu Ville Ailunka * Follow Published in SensorFu * 6 min read * 1 day ago -- 1 Listen Share Introduction In today's rapidly evolving landscape of technology, networks form the backbone of modern systems. Every second is a race, as malicious actors relentlessly probe for vulnerabilities, seeking their next weak link. But what if we could turn the tables, forcing attackers to question their assumptions and strategies? That's precisely what our project sets out to achieve. Developed as part of the University of Oulu's Software Project course for SensorFu, our approach draws inspiration from Tom Liston's LaBrea tarpit technique, which traps malicious scans in a "sticky" environment. Building on this idea, we've crafted a bold defense strategy that not only slows scans but actively disrupts and deceives attackers. By confusing and overwhelming intruders with false data, we transform defense into offense, leaving them unsure of what's real. This project is about more than just protection -- it's about flipping the script. Instead of evading threats, we force attackers to confront an unpredictable and invisible adversary. Welcome to a new era of cybersecurity, where confusion becomes our weapon, and the scanner becomes the prey. How does scanning work? Network scanning is a common reconnaissance tactic used by attackers to gather crucial information about a system. But how does it work? At its core, scanning involves identifying devices, discovering open ports, and detecting services or operating systems. The process typically begins with the scanner sending Address Resolution Protocol (ARP) requests to every device on the network. If a device exists at a specific IP address, it responds with its Media Access Control (MAC) address, revealing its presence. Once active devices are identified, the scanner shifts its focus to finding open ports. For TCP this involves sending SYN packets and waiting for a SYN-ACK response. In some cases, the scanner may send a final ACK packet to establish a connection, but this generates detectable noise. To avoid detection, attackers often use a technique known as a half-open scan, skipping the final ACK. Solutions like Nmap, Masscan, and Nessus utilize methods such as ARP requests and TCP half-open scans, enabling attackers to probe networks for vulnerabilities. Detecting these scans amidst normal network traffic is challenging. Sophisticated attackers employ low-and-slow scanning techniques, probing only a few ports at a time to remain undetected. These evasive strategies explain why traditional defenses often struggle to identify and block scanning activity. Network scanning isn't limited to reconnaissance. In many cyber-attacks, after exploiting a known vulnerability to gain initial access to the internal network, attackers often conduct scans to map the environment and identify connected systems. By uncovering high-value targets, such as sensitive databases or critical servers, they can effectively plan their next steps. These scans demonstrate how attackers continuously adapt to evade detection and maximize the impact of their campaigns. Payback time But what if you could turn this challenge into an opportunity? If you suspect your network is being scanned, it's time to fight back. That's where our solution comes in -- a solution designed specifically for internal networks, one that doesn't just defend but creates chaos for attackers. Here's how it works: When scanners send Address Resolution Protocol (ARP) requests to map the network, our solution intercepts unanswered ARP requests. Most scanners send three requests per IP address. Our solution observes the first two requests to check if a device exists at that IP. If no device responds, it sends an ARP reply to the third request, creating the illusion of a real device at that address. In effect, we populate the network with imaginary machines, tricking scanners into believing they've struck gold. But it doesn't stop there. When scanners attempt to identify open TCP ports by sending SYN packets, our solution introduces a second layer of disruption. It delays SYN-ACK responses, sending them after a set time. While the delay for a single port may seem minor, the impact compounds when attackers scan thousands of ports across a network teeming with virtual devices. The result? Overwhelming false positives, wasted time, and mounting frustration as their scans yield no actionable data. In the first test, we scanned the IP range 172.19.0.0/24 using the command nmap 172.19.0.0/24 in a Docker environment without our software running. The scan completed in just two seconds, identifying three active hosts. This result provided a benchmark for evaluating our solution's impact. With our solution deployed, the same scan produced dramatically different results: * Detected Hosts: Nmap identified 256 active hosts, all imaginary devices created by our software. * Scan Duration: The scan took over 7,500 seconds (more than 2 hours) to complete. Even after the scan finished, the attacker would need significant time to analyze and verify the results. This delay gives network administrators a critical window to identify and patch vulnerabilities before attackers can act. We also tested using the nmap -sS 172.19.0.0/24 command, which scans the 1,000 most common ports. Without our software, the scan completed in approximately two seconds, again identifying three active hosts. With our solution, Nmap detected 256 active hosts and required over 7,700 seconds to finish. Testing was also conducted in real network environments. For example, the nmap -A command was tested on a single IP address. The command is used for a thorough scan to gather extensive information about the target. The scan took over six hours to complete for just one host -- and the best part is, the host was created by us specifically to slow and deceive! In comparison same command ran on IP which have actual device with two TCP ports open took roughly about 10 seconds. This solution isn't a replacement for firewalls, intrusion detection systems (IDS), or other traditional defenses. Instead, it works alongside them, adding a novel layer of protection. By transforming the attacker's tactics into an opportunity for disruption, we tip the scales in favor of defenders. In a network fortified with our solution, scanners become mired in false data, delays, and confusion -- buying valuable time for administrators to safeguard critical systems. Summary Our solution introduces a practical and innovative approach to network defense, transforming the way organizations safeguard their systems. By deploying our solution, you gain a unique advantage: the ability to deceive and disrupt malicious actors while buying valuable time to respond to threats. Imagine a network with 254 IP addresses, where only 10 have active devices. Using our solution, you can populate the remaining IP addresses with "imaginary" machines, creating a network teeming with seemingly active devices. This tactic forces attackers to waste time scanning and verifying false targets while struggling to distinguish real devices from decoys. Meanwhile, your team leverages this disruption to strengthen defenses and stay ahead of potential intrusions. Unlike traditional defense mechanisms that often require extensive infrastructure, our solution is lightweight, efficient, and easy to deploy. A single machine is all it takes to protect your entire network. This makes it an ideal solution for large organizations, small businesses, and even individuals seeking to secure their systems without high costs or complexity. In summary, our solution complements existing cybersecurity measures by adding a dynamic layer of protection that delays, disrupts, and confuses attackers. Lightweight yet powerful, it empowers you to take control of your network security with minimal effort. Deploy our solution today and experience the future of proactive defense! GitHub - sensorfu/ants Contribute to sensorfu/ants development by creating an account on GitHub. github.com LaBrea-Intro History LaBrea is a program that creates a tarpit or, as some have called it, a "sticky honeypot". LaBrea takes over unused IP... labrea.sourceforge.io Toni Perala https://www.linkedin.com/in/toni-per%C3%A4l%C3%A4-03908b223/ Tuukka Reinikka https://www.linkedin.com/in/tuukkareinikka/ Ville Ailunka https://www.linkedin.com/in/ville-ailunka-45601a2a5/ Cybersecurity Security Network Security Software Development -- -- 1 SensorFu SensorFu Published in SensorFu 64 Followers *Last published 1 day ago All things SensorFu. https://sensorfu.com/ Ville Ailunka Ville Ailunka Follow Written by Ville Ailunka 2 Followers *1 Following Follow Responses (1) See all responses Help Status About Careers Press Blog Privacy Terms Text to speech Teams