Changing the web hacking landscape

1 post in this topic

I've recently been looking into intrusion deception systems, specifically the Mykonos Juniper solution (see

for an overview). Essentially it is a proxy that sits in front of your webserver and injects/strips code served by the webserver to place 'tar traps' that entice an attacker during the early phases of an attack. It attempts to profile the attacker on a per machine basis according to the severity of their activities. It attempts to track them by placing various "persistent tokens" (cookies, browser specific storage, multimedia framework storage (Flash, silverlight) clientside javascript storage, clever use of etag values): so independent of and more intelligent than simple ip tracking. The injected code points are numerous and configurable making it very difficult to tell whether the object you are playing with is a true resource of the website or a tar trap until you've already "tripped a wire" at which point the system may be remediating you: slowing your connection, presenting captcha if it thinks you are a bot, blocking your connection entirely, serving up broken pages, forcing log out etc.

NB this doesnt actually spot attacks, just spots the potential for attacks by looking for reconnaissance activity. Its not a web application firewall or IPS/IDS.

This approach goes a long way to visibility of activities that are normally very difficult to spot, address or report on. It also is not very intensive to set up and configure and doesn't require an ever updating list of signatures (lets be honest signature systems are often a step or 2 behind).

From what I can tell, an attacker that:

Uses a different VM for each recon activity or session


Goes straight for blind attacks


Is very efficient at cleaning their caches


Uses a browser that stores absolutely nothing (or an application that isn't a browser)

may be able to thwart parts of the system tracking. Additionally, the system is not completely mature in terms of its clustering ability/data correlation and I can see companies being very jumpy about anything that is going to sit in line between their SLB and webfarm so it needs to be 100% proven. That said, people already do this with web application firewalls - I can see Mykanos like functionality being incorporated into these appliances very soon.

Does anyone have any experience with this or similar systems? Does anyone have any of this software that can be tested?



EDIT - Some interesting info:

Open source persistent cookies: http://samy.pl/evercookie/

Mykanos blog about evercookie: http://blog.mykonossoftware.com/?p=142

Edited by wwwd40

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now