Electronic networks, such as computer networks, are widely used for communications, data sharing, data storage, applications sharing, data processing, etc. The increased availability and power of common computer devices has lead to a widespread increase in interconnected networks, wherein computer devices communicate and share data between widely distributed networks. As a result, computer networks have become ubiquitous. One popular and widespread computer network is the Internet, which comprises multiple, interconnected computer networks.
A problem that has grown along with the growth of computer networks has been the surge in unauthorized or malicious access to computer systems. Such unauthorized or malicious access has been made possible by computer networks, wherein anonymous persons (or automated programs) can gain access to computer systems and cause damage to data, access to other systems, etc. One growing problem is where an intruder attempts to connect to many addresses over a computer network in order to establish a connection to a computer system using a network address. The completed connection can be used to access the corresponding computer system, and even to access other computer systems in communication with the compromised computer system.
An access attempt is commonly in the form of an acknowledgement request sent by the intruder. A subsequent response from the network address is a signal that the address is being used, while a lack of response from any network device is interpreted as a signal that the network address is unused and is available for use. This is commonly termed “scanning,” wherein an external computer device is programmed to systematically scan network addresses seeking systems that can be exploited directly and/or be used to gain access to corresponding computer devices and/or corresponding computer networks.
A prior art approach to detecting and preventing this form of unauthorized access has been the development and deployment of systems commonly referred to as tarpits, honeypots, or sticky honeypots. In the prior art approach, the unused network addresses of a network are monitored by a security system or security routine. The security system or routine is programmed to recognize the unused network addresses, and treats any attempts to access these network addresses as unauthorized access attempts. An access attempt is commonly initiated by an acknowledgement request, wherein a response from an address indicates that a host is present at that address and may be vulnerable to attack. When no response is received from an address, the agent performing the unauthorized access attempt knows immediately that the address is not used, and continues to probe or scan other addresses.
In addition to the prior art security system or routine detecting an unauthorized access attempt, the prior art security system or routine can hold the connection, and can make the scanning computer waste time waiting for an expected response. This is where the term tarpit, honeypot, and sticky honeypot come into play. When a scanning computer identifies a host and subsequently attempts to exchange messages with the host at a given network address, the prior art security system or routine can issue a “busy,” “wait,” or “retry” response. The scanning computer will therefore wait for a “non-busy” or “ready” message, or wait until a timeout period elapses. This can typically cause the scanning computer to wait for a period of time from a few minutes to indefinitely, depending on various factors which include the inherent capabilities of the particular implementations of the network systems by different vendors, such as different timeout periods. The scanning computer will then issue another acknowledgement request. If the security system or routine continues to reply with “busy,” “wait,” or “retry” responses, the security system or routine can keep the scanning computer waiting and relatively inactive for long periods of time.
The processing time required for the security system or routine to perform this trapping action is minimal, while the real elapsed time imposed on the scanning computer is much larger than it would otherwise be, which slows the rate of the scanning. In addition, the scanning computer typically is halted from scanning for other computer systems on the network. Therefore, if a computer device of a business entity or institution is scanned and the scan is trapped and held as described, the sticky honeypot may prevent other unused network addresses or other computer devices of the business entity or institution from being scanned. In addition, the trapping may be invaluable for preventing further intrusion and even limiting damage from an intrusion merely by delaying the scanning process.
A dynamic network address allocation service of some type is typically employed in a computer network. For example, the dynamic network address allocation service can comprise a Dynamic Host Configuration Protocol (DHCP) server. The dynamic address allocation service facilitates management of the network and enables, through ensuring proper configuration of the network, the communications between internal network computer devices and between internal and external computer devices. When a computer device is added to the network, the computer device will contact the DHCP server and the DHCP server will assign an unused network address to the requesting computer device. The address allocation system attempts to make sure that each computer device has a unique address for use on the network. When a computer device is added to a network, the computer device will contact the DHCP server and the DHCP server will provide a network address to the new device. The computer device may request a particular address from the DHCP server. The requesting device can “lease” the address, wherein the requesting device can use the address for a specified period of time and then must stop using the address or must re-request the network address. If the assigned network address is unused for a time period, the DHCP server may de-allocate the network address and return it to a common pool. Therefore, in a modern computer network, the network address assignment is relatively dynamic, wherein network addresses can be repeatedly allocated and de-allocated over time, and may be used by different devices on the network at different times.
The prior art intrusion detection and prevention approach has drawbacks. The prior art approach is typically inflexible and does not react well to allocations and de-allocations of network addresses, particularly when this process is managed by an address allocation service like DHCP. A prior art honeypot or tarpit is not designed to dynamically acquire or release individual network addresses on a network where address allocation is managed by a service like DHCP. A prior art approach will typically use all of the network addresses that are unused at the time the prior art honeypot or tarpit is started up. The prior art approach is not designed to dynamically yield an address to an allocation server, such as a DHCP server. Consequently, one drawback in the prior art approach is that all available network addresses become used by the tarpit or sticky honeypot during operation, and therefore cause interference with the correct operation of the network as new devices are added to the network. Another drawback is that the prior art approach may not yield up unused network addresses when a dynamic address allocation service seeks to assign them to a new system on the network. This can cause severe disruption on the network under normal operation conditions, and makes these devices inappropriate for deployment on production networks. Typically, the prior art security devices are deployed in networks dedicated to hosting the honeypot, which limits their effectiveness for trapping modern types of network intrusions.