WEBVTT 00:00.000 --> 00:19.600 So, hey, I'm Ryan. I help tokenize K-Bot Birmingham. I am a Bromie. I come from Birmingham 00:19.600 --> 00:23.800 UK, not Alabama. They get the mixed up. I've got an unhealthy obsession with programming 00:23.800 --> 00:27.120 mascots and there's my social. Thank you very much for please top of flying me out 00:27.120 --> 00:31.520 here today. I've just a disclaimer before we start. I am not an expert on anything that 00:31.520 --> 00:36.080 I'm talking about. Take everything with a pinch of salt. And I'm here to give a talk 00:36.080 --> 00:45.200 today about this thing. Who recognizes it? Yes, that's right. This is the stupid auto 00:45.200 --> 00:50.160 dialer thing from the Simpson. That marches down all of the phone numbers. And when 00:50.160 --> 00:54.720 you get a phone call and they go, how are you? And it's like someone trying to get a survey 00:54.720 --> 01:02.480 from you. It's normally one of those annoying machines that have done it. And this kind of 01:02.480 --> 01:08.720 leads us into the problem. In our everyday life we are being bombarded by spammy males, 01:08.720 --> 01:16.800 spam calls and spam advertisements all over the place. A constant stream of it. And in a very 01:16.800 --> 01:23.040 similar way our lovely little server here is also being bombarded with a constant swarm of 01:23.120 --> 01:29.200 annoying bot traffic. Bots will literally just mock true IPs. One, two, three, four, five, six, 01:29.200 --> 01:35.280 seven, eight, nine. And you can do the entire four billion IPs available in IPv4 in quite a short 01:35.280 --> 01:40.720 amount of time surprisingly. And if you've ever had access logs on your server and you've seen, 01:40.720 --> 01:49.920 hello can I just please get the dotty interview file? Please please can I have something? Please please 01:50.000 --> 01:59.840 let me in! Yeah, very annoying. And it's not just one bot. It's thousands of bots. And 01:59.840 --> 02:06.560 now we're all coded for different frameworks, looking for different things they can poke. And it 02:06.560 --> 02:14.000 only requires one bot for your server to be very sad. And they don't take a break. If you're, 02:14.000 --> 02:18.000 you know it's 3am and you get a call and they go, why is the website being replaced with 02:18.960 --> 02:27.840 some dodgy third party thing? Tough, got to fix it, bots don't sleep so that you can't either. 02:28.880 --> 02:39.520 And it's not just on the HTTP protocol, they will come on any ports, you know, FTP DNS as 02:39.520 --> 02:44.400 them to any protocol you can imagine there are bots loitering around the IPv4 space trying to 02:44.400 --> 02:53.280 poke and prod. So what can be done? Well I'm glad, you asked. We can do this. 03:04.960 --> 03:11.600 I can you just just go right now. All right did that actually kill my, I don't kill my 03:11.600 --> 03:13.880 clicker. That's amazing. Oh well, I'm starting to go right in 03:13.880 --> 03:21.640 I was sorry. It was worth it. Get back into shape. So yes, we can do all of these 03:21.640 --> 03:24.360 very interesting things. Take a picture if you're interested. You've got six 03:24.360 --> 03:30.880 seconds, five, four, three, two, one. Time's up. Questions up at the end of my 03:30.880 --> 03:35.160 talk. Thank you very much. Oh, no. Wow, that's a bit boring, isn't it? Is there 03:35.160 --> 03:40.880 something to keep it more fun? We could do. Well, there's a very similar 03:40.880 --> 03:49.640 problem in the cool space where, you know, you get spam callers. And there's 03:49.640 --> 03:53.800 very interesting YouTube channel called Kit Boga, where he will make himself a 03:53.800 --> 03:58.800 big old target and try and keep the cooler. spam caller that is on the line 03:58.800 --> 04:03.920 for as absolutely long as possible. And that gave me an idea, which leads us into 04:03.920 --> 04:08.760 beginning the bamboosling. I can see if I can not this, because of maintenance 04:08.760 --> 04:15.200 now, okay. Honeybots, we love honeybots. They're good. And to me, honeybots are made of 04:15.200 --> 04:20.600 three kind of good components. You have the honey, the honeycomb and the pot itself. 04:20.600 --> 04:26.480 With the honey, well, the honey is kind of anything desirable to a thread. I didn't 04:26.480 --> 04:30.160 worry this thread. Look, you can get a picture of me with the type of a 04:30.160 --> 04:39.760 threat actor looking for desirable things like api keys and things. So what to 04:39.760 --> 04:45.360 do? Well, there is this lovely repository called GitLeaks, which contains pretty 04:45.360 --> 04:50.000 much every last single secret definition you could ever imagine or dream of 04:50.000 --> 04:54.920 having in, in Redgex form for searching through repositories for a static 04:54.920 --> 04:58.720 analysis that you don't commit them accidentally. And these redgexes are 04:58.720 --> 05:03.880 quite interesting, because there's another nice little tool called goregen, where you 05:03.880 --> 05:08.800 can generate random string from regular expressions. If we just put these two together, do 05:08.800 --> 05:14.560 we have an infinite supply of a free secret to give out. Oh, that's wrong, I think isn't 05:14.560 --> 05:23.160 it. Which leads us onto our honeycomb. We have structured data, bots like to 05:23.160 --> 05:30.080 read structured data. And we have this amazing thing called JSON schema, which allows 05:30.080 --> 05:35.920 us to define structured data in a way that we can validate it. And there is a nice JSON 05:35.920 --> 05:42.520 schema store with all of the major configuration files that you can get on the internet. 05:42.520 --> 05:47.400 And there is this magical thing called JSON schema faker, which allows you to generate 05:47.440 --> 05:57.120 random data, how exciting. But there's something hanging out the bottom of it. Oh, 05:57.120 --> 06:02.360 this will go for it's a JavaScript library. Everything's written in JavaScript. There's 06:02.360 --> 06:13.760 nothing we can do. Time to go. What is this? Wow, it is GoChap, which generates random 06:13.760 --> 06:21.520 data for a given schema. Oh, my god. Because why spend five minutes trying to convert 06:21.520 --> 06:26.200 the JavaScript library, when you can spend three months doing a site project? That was 06:26.200 --> 06:33.040 fun. I do not like JSON schemas. And with the power of these four combines, infinance 06:33.040 --> 06:41.400 secrets and structured data, the joys, which brings us onto the bots, which we want something 06:41.480 --> 06:48.600 with a very small prop friend that's very nice and you can run. Yeah, I use Go. Don't 06:48.600 --> 06:54.680 shout at me. And if we lob everything that we've collected here together, we get go parts, 06:54.680 --> 07:00.320 which is what I'm talking about today. Let us start with maximizing the misery. Who knows 07:00.320 --> 07:10.760 what this is? Got five, four, three, two, one. It's a slow, Laura's indeed. Congratulations. 07:10.760 --> 07:13.880 I think you get the idea of where this is going. So for those who don't know, a slow 07:13.880 --> 07:18.360 Laura's is a type of low and slow deed or attack, where you open up a connection to the 07:18.360 --> 07:23.480 server and then go, I'll open up a connection, what you're going to do about it. Oh, no, no, 07:23.480 --> 07:27.720 another connection. I don't know, another few more connections and just not really just send 07:27.720 --> 07:32.760 a few bytes of data. And I hope you'll hit a threadball a bit and the server will die. But 07:32.760 --> 07:39.480 I thought what happens if you just turn this on its head? Well, the bots die? That will 07:40.200 --> 07:46.360 be nice. And this leads into a class of Honeypot's called Papet's. She's a deep and 07:46.360 --> 07:52.440 murky and you can't run around it. This is not an entirely original idea, but the class is very 07:52.440 --> 08:00.440 funny. But can anyone think of any problems with this out of the bats? Six, five. 08:03.000 --> 08:07.880 Did that spawn? The one that I came out with is timeouts. Bots will have timeouts on your 08:07.880 --> 08:11.960 network requests. They won't sit there forever. A lot of the times when you're making an API query, 08:11.960 --> 08:19.960 you're going, oh, it took 15 seconds. It's too long for server must be dead. So, what I've thought to do 08:19.960 --> 08:24.680 is, if a bot sees a bunch of failing requests, it must have taken down the server or something 08:24.680 --> 08:29.240 must have gone wrong. So it will run away. We don't want that. We want the bot to be kept on the 08:29.240 --> 08:34.040 line forever. So if we just wait until the first time out and then infinitely serve, 08:35.000 --> 08:41.640 just about where the timeout is, well then the bot can march as long as it wants and it will struggle 08:41.640 --> 08:48.840 and it will pull an adventure. We'll get away down the bot. But it will have at least have wasted 08:48.840 --> 08:56.280 as much time as we possibly could. And why not let them eat each? They want all of the protocols, 08:56.280 --> 09:01.720 right? They want their HCls and their Dota EMVs and their YAMLs and their XMLs and their Seat Balls. 09:02.040 --> 09:07.480 So, why not if they request for an e-filer on XML file? We just give it to them. You know, 09:07.480 --> 09:11.800 we can serialize data in all the formats that you're wanting, enjoy passing them and enjoy 09:13.000 --> 09:17.480 munching them down. But it's not just HTTP that this happens on it's other protocols. 09:19.000 --> 09:26.040 So, I've been expanding, go pot over the last few months to support FTP as well. So we now have a 09:26.040 --> 09:32.120 file system, and you can download these selections and files if you so happen to fall onto the 09:32.120 --> 09:38.440 loveies ever. And of course, making any requests to this FTP server will be very slow. 09:38.440 --> 09:44.520 You can do one operation a second. That is it. It will wait otherwise. And any of the files 09:44.520 --> 09:51.800 will download at one bite a second for a very long time. Oh, and when you look at this, it's an 09:51.800 --> 09:58.680 infinitely deep file system. Oh, what a shame. Oh, it would be a terrible shame if you were to 09:58.680 --> 10:04.360 try and traverse a file system that will take you until now to the age of the dinosaurs to get on 10:04.360 --> 10:15.480 Anna. Now with more attack surface. This is an app. Cool scan. It's going to all for 10:15.480 --> 10:23.320 looking at what's open ports and you've served. This is a available on your little servers. 10:24.600 --> 10:30.840 But you know, that's what much is it? What happens if we were to port forwards every last 10:30.840 --> 10:37.880 single port available to us on the server to report on go pots? And you know, it's like a duck. 10:37.880 --> 10:42.680 Looks like a duck. It's probably a rabbit. What happens if we connection mocks? And we just add 10:42.760 --> 10:46.760 a long list of available protocols that are funny pot supports and then forward up onto one 10:46.760 --> 10:53.000 to one of the funny pots, if not, so we can support multiple protocols on every last single port 10:53.000 --> 11:05.800 on the server. Good luck, honeypot. Though we don't want to get caught in the crossfire, 11:07.080 --> 11:12.280 there are not all bots about there are plenty of bots that are just you know mapping the internet 11:12.280 --> 11:17.880 retrieving draft database social medias searching your pages for searchers. 11:17.880 --> 11:24.200 Are you really want to you know, smite them well on this kind of approach? 11:24.200 --> 11:31.080 So we've got a robot stock to exceed where you have a user agent, a disallow, and they crawled 11:31.080 --> 11:36.440 away effectively saying who, wearing for how long the bots can do things on at least on the 11:36.440 --> 11:42.760 HTTP standard? And normally when the bots will fly in and they'll be like, 11:43.560 --> 11:51.160 should I go and should I actually deal with this thing now? But then you'll always get the 11:51.160 --> 11:58.440 ones that decide to go away to the pain and those are the people who we're trying to deal with. 11:59.080 --> 12:08.600 Is it legal? Well, I mean, in the UK, apparently not your country, maybe, you know, 12:09.160 --> 12:15.720 I'm not a lawyer, this is not legal advice, but you don't see me if you use the pot, it's not my pot. 12:16.120 --> 12:19.560 Is this moral there? I think it's funny. 12:23.240 --> 12:27.640 The results of this, so I had this, I've got hold three minutes, I've been rocking through these 12:28.120 --> 12:32.120 lives, and so I had this convoluted set up where I did a bunch of AWS magic 12:32.120 --> 12:37.960 leave stuff to pipe metrics around it. I haven't mentioned this yet, but the bots also speak 12:37.960 --> 12:41.320 to each other with gossip protocol and could be running a big cluster, but I didn't think I'd 12:41.320 --> 12:44.840 have time to speak about it. So you can read up with that if yourself if you're interested. 12:46.200 --> 12:51.080 The results are, and I gave that in the time that I ran this across the cluster of 12:51.080 --> 12:57.240 out 10 nodes in mid-2024. I gave out 2 million secrets to bots, so I hope they use those for 12:57.240 --> 13:04.600 useful things, and a total of 23 times of bots sitting there listening to slow tone music 13:04.600 --> 13:10.280 and slowly losing the world to live. What the future holds, well, we've got this nice 13:10.280 --> 13:17.880 pots full for the brim of various tricks and interesting things that we can slow down. 13:17.880 --> 13:30.040 But ideally, it's not just going to be the web server in FTP, I'd like to add data bases and 13:30.040 --> 13:36.440 SMTP, I don't even know what that is, I just copy the bases. Or SSH or Redis, or as many 13:36.440 --> 13:44.840 protocols like in Think of where stalling bots would be funny. As I said, I ran over a lot of 13:44.840 --> 13:48.920 stuff here, there are things that you can do with maximizing the placement of your bots in 13:48.920 --> 13:55.320 a network so you can get hot IP addresses, loads of bots. Also using AWS tends to be quite good 13:55.320 --> 14:02.760 for attracting traffic because people know the IPv4 ranges of these AWS data centers, so they 14:02.760 --> 14:07.800 will match them more often than just generic random IP addresses. There are other things that 14:07.800 --> 14:14.200 need to do in broader protocol support, better telemetry and instrumentation so that people can 14:14.200 --> 14:18.840 look at it. This is part of the T-pot C platform, by the way, so you can run it as a group of the 14:18.840 --> 14:24.440 bots. Ah, one minute run. Well, luckily I want to conclude. Is this actually going to just 14:24.440 --> 14:34.360 stuff all of the bots? But, you know, there are lots of things that you can do to avoid this. 14:34.360 --> 14:39.000 If you just send a few requests, this isn't really going to do much. You can still collect data. 14:39.080 --> 14:44.440 I don't know. Some bots don't give a target to attacks on particular servers and there are other 14:44.440 --> 14:50.360 ways to defeat it. However, it will stop poorly written bots, at least my hope is, it 14:50.360 --> 14:54.040 rated the bar to entry for people writing these bots because it's harder to deal for all the 14:54.040 --> 14:57.960 edge cases and most of all it's funny. Ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, 14:57.960 --> 15:05.320 credits go to all of these fine people for the ideas and the images, ah, ah, a special thanks to 15:05.400 --> 15:10.200 Irochi Art for all of the custom commissioned gofers because I like proving mascots from the very 15:10.200 --> 15:16.200 keep. Thank you very much for listening with eight seconds to spare and, um, I can now just do 15:16.200 --> 15:22.680 a dance from the last three seconds. That's time. Thank you. 15:46.200 --> 16:02.920 That was hilarious. Thank you so much. It's, uh, much appreciated. Ah, I'm curious 16:02.920 --> 16:06.520 to switch into goling and then go check out your project. Maybe I can do some contributions. 16:06.520 --> 16:11.560 Absolutely. Love any support that you can do with it. Awesome. Have a nice series of it. 16:11.560 --> 16:19.080 You do. Thank you so much. My forward most entertaining talks so far. Oh, thank you so much.