Mythic Natural History – Encapsulation
- At October 16, 2009
- By Josh More
- In Mythology, Natural History
1
Yesterday (as I write this), I was privileged to attend the Iowa State University Cyber Defense Competition. The basic idea is that you have students build a handful of servers that must withstand attack from the “red team” while simultaneously providing services.
Though I generally specialize in Linux defense, I did manage some successful attacks against both operating systems. There was one team that watched the network and blocked some of the IP addresses that were attacking them. There was another that was hiding behind a firewall appliance. However, what was most interesting was the level of awareness that different teams had about what I was doing. Generally, once I connected via an encrypted session, the admins let me do whatever I wanted to do. I could try exploit after exploit with no interference at all. Odds are, if they were watching me at all, they were looking at network traffic. As such, I was hidden from their view due to encapsulation.
TechTarget defines encapsulation as: “In general, encapsulation is the inclusion of one thing within another thing so that the included thing is not apparent. Decapsulation is the removal or the making apparent a thing previously encapsulated.” . . . but this is boring. I could go on at length about how TCPIP has layers like an onion (or an ogre), or I could just point you over to the The TCPIP Guide. However, since TCPIP is also boring, I’ll let you go read about it yourself.
Instead, I want to talk about the Mayans. After the competition, I was relaxing at home by reading a book of Mesoamerican Myth, and I got to a part that told how Xbalanque and Hunahpu (let’s call them Xbally and Huna for short) were contacted by their grandmother. Apparently, the spread of the Internet had not reached the Yucatán Peninsula by 250AD, so when their grandmother wished to send them a message, she didn’t send them an instant message. Instead, she told a louse.
Now, it is clearly ridiculous to think of a louse able to carry to a message all the way to the Eastern end of the Earth (likely Tulum), which is why it was most fortunate that the louse was swallowed by a toad. The toad, of course, was eaten by a snake, which was gobbled up by a hawk. The hawk then flew to Xbally and Huna. Of course, the hawk could not give them the message directly. He had to first disgorge the snake, which spit up the toad which vomited up the louse (you can’t keep a good louse down), which delivered the message. At which point, our pals Xbally and Huna went off to the underworld to work for some strangely-named underworld gods, avenge their father and otherwise exit the interesting part of our story.
See, the message couldn’t get there on it’s own. No matter how loud someone shouts, there’s a limited distance along which the message may be understood. Thus, it helps to encapsulate the message inside a louse (SSH). If anyone looks at the louse, they just think “eew, louse!” and not “hey, maybe that louse contains a secret message”. Even if the louse were cut open, it wouldn’t reveal anything other than louse guts. The message is well concealed.
However, even though a louse is a good way to hide in plain sight, it’s not so good at crossing distances. Particularly if the terrain is somewhat marshy. That’s why, if you don’t want the message to drown, you’d better put it in a toad (UDP). This way, the delivery is more robust.
(As an aside, I chose UDP over TCP for this analogy, because otherwise at the end of the story, Xbally and Huna would have to find another louse, give it a message that says that they got the message, shove it in the toad, feed the toad to the snake, let the hawk eat the snake and send the snake back to their grandmother… and that would just be silly.)
A toad, however, doesn’t do so well in all environments. It may be able to hop over a desert, but it would take a while and it could get lost. That’s why toads are more comfortable inside of snakes (IP). The snake has a more complex brain and can remember more of the environment than a toad can. Thus, instead of just hopping from puddle to puddle in the hope that it’s going the right way, the snake can take a more direct route… within it’s own little area. Snakes are, alas, not so good at crossing barriers like mountains and chasms. For that, you want a hawk (Link Layer). The hawk is used to flying and tends to have a good solid understanding of it’s environment. When it flies, even if snake-laden, the hawk can get where it needs to go quite quickly by flying through the air (Layer 1).
Thus, by combining all four animals (or Link, IP, UDP and SSH), you can get a message securely to where it needs to go. True, these days we use somewhat obscure mechanisms to do so, but hey, these days lice are relatively rare.
It’s a good tradeoff.
Security lessons from Nature – Playing Dead
- At March 10, 2009
- By Josh More
- In Natural History
- 0
The natural world is resplendent with stories of animals that play dead. Some are well known, such as the opossum and the hognose and grass snakes. Others, such as the lemon shark, parasitic wasps and brittle stars are less well known. What is interesting, though, is that this behavior is common across many families of animals.
The root of this behavior is that an animal that is dead is likely less appetizing to an attacking predator than one that is alive. Some even go so far as to foul themselves and release blood from their mouths to be very convincing. In many cases, it works. The attacker looks at the critter, maybe paws it a bit, and then wanders off to find something better.
Wouldn’t it be nice if we could use this same technique in our everyday businesses?
Well, in a way we can. Many systems are built to detect attacks and deny traffic. This is much like a turtle hiding in it’s shell. The attacker knows that the attack was detected, and all it has to do is wait or attack from a different direction when it’s blocked. However, if you can make the system unpalatable, the attacker might just stop altogether. What if, instead of just doing a deny, you redirected that traffic to a honeypot or system in an error state. If the attacker started getting back error pages or saw services stopping, they might conclude that they broke something. Thus, instead of constantly trying, they might go on to something else.
Now, it’s important to note that, like most defenses, this one is not perfect. Some attackers would just break into the system faster than you could “play dead”. Others might persist in the attack until they get in, whether or not you are dead. This defense, much like in nature, would only function against non-persistent attackers. It might, however, be a good way to identify which attackers are persistent. That might help you determine and reasonable and targeted defense system.
