Camouflaging Servers to Avoid Exploits

The goal of this research is to increase attacker workload by camouflaging servers. Server vulnerabilities are dependent on the specific operating system or server type, version, service pack, and/or patch level. Protocol definitions offer considerable flexibility to developers, and as a result it is possible to fingerprint a particular server by communicating with it using either legitimate or malformed traffic. This fingerprint information provides a roadmap that allows an attacker to select an appropriate exploit and compromise the server. This paper describes a general camouflage capability that presents a false server fingerprint. The capability is implemented as a table-driven finite state machine that operates across the protocol stack, simultaneously falsifying both operating system and service properties. The false fingerprint may be created to provide known vulnerabilities, that if exploited can trigger an alert or honeypot the attacker. The camouflage has been demonstrated by disguising a Microsoft Exchange 2008 server running on Windows Server 2008 RC2 to appear as a Sendmail 8.6.9 server running on Linux 2.6. Both the nmap and Nessus network scanners were deceived into incorrectly identifying the Exchange server. It is important to recognize that camouflage need not be a perfect deception: it is sufficient to sow enough confusion that an attacker is unable to take timely actions.