labrea is a intrusion detection / "sticky" honey pot technology using virtual servers to detect malware.
LaBrea works by watching ARP requests and replies. When the pgm sees consecutive ARP requests spaced several seconds apart, without any intervening ARP reply, it assumes that the IP in question is unoccupied. It then "creates" an ARP reply with a bogus MAC address, and fires it back to the requester.
An example (from a tcpdump of LaBrea running on my network):
14:18:28.832187 ARP who-has xx.xx.xx.13 tell xx.xx.xx.1
14:18:29.646402 ARP who-has xx.xx.xx.13 tell xx.xx.xx.1
14:18:31.707295 ARP who-has xx.xx.xx.13 tell xx.xx.xx.1
14:18:31.707574 ARP reply xx.xx.xx.13 is-at 0:0:f:ff:ff:ff
There is no xx.xx.xx.13 machine on my network. In this case, the timeout was set to 3 seconds (it's a command line parameter), and when that final "who-has" came in, the "is-at" reply that you see was generated by LaBrea.
There isn't a MAC address of 0:0:f:ff:ff:ff either. It doesn't exist.
But now, the router (xx.xx.xx.1) believes that there some machine at xx.xx.xx.13, and that it resides on the MAC address 0:0:f:ff:ff:ff, and so it dutifully sends packets on. In
essence, we've created a "virtual machine" on that IP address.
Now, LaBrea also watches for TCP traffic destined for the ether address 0:0:f:ff:ff:ff. When it sees an inbound TCP SYN packet, it replies with a SYN/ACK that "tarpits" that connection attempt. Everything else is ignored. (Well... sort of. LaBrea also tries to give its "virtual machines" some character... you can ping them, and they respond to a SYN/ACK with a RST.
There's more to it than that (obviously...) but you'll need to read further.
What's New in This Release:
· src/ctl.c (ctl_init_arrays): Remove call to sleep since not supposed to mix with alarm calls on linux.
· src/utils.c (util_alarm), src/labrea.c: Set alarm and signal handlers after going into daemon mode so that child will get signal
· src/labrea_init.c, src/lbio.c: Take out fudge code since libdnet 1.7 ethopen now uses the libdnet device names (ie eth1, etc).