[Dshield] yea LaBrea must have moved
tim at qrsparadigm.com
Wed Mar 13 14:54:19 GMT 2002
No problem Susan. I actually do "picnic under flypaper" ;-) so to speak, in
that I run it on the same bastion hosts as my MTAs and VPN servers. It
consumes very little resources, and because of the proxy arp mechanism by
which LaBrea works it doesn't draw any extra attention to these machines.
I'm a small fish, having only two /29 blocks to watch over, but still like
most folks I don't use the majority of my address space. LaBrea only answers
arp requests that go unanswered by real machines actually occupying an IP.
Since these requests are being sent to an IP that I do not advertise any
sort of service on they could only be scans. LaBrea happily answers these
requests with just enough traffic to keep that thread of the scanning
machine "on the hook", and therefore not moving on to scan elsewhere. In
this way my unused address space goes to good use.
The idea is that if enough folks ran this or something like it then mass
scans would run out of steam very quickly when the scanning machines run out
of resources waiting on replies from machines that aren't actually there
:-). Aside from the CodeRed scans that inspired Tom Liston to write this
little nifty, I also pickup all sorts to RPC portmap requests, DNS version
queries, etc. to machines that don't exist. I gotta admit I derive a certain
pleasure from that, knowing that someone out there if being frustrated, or
wondering what the heck is going on when a portmapper scan that should take
only an instant to complete hangs for twenty or thirty minutes if not
I am running version 2.2 compiled from source (need to upgrade), and I start
/usr/local/sbin/LaBrea -a -h -v -p 2000 -z -i eth1
On occasion I'll add the -l switch (log to syslog) just to have a look at
Mar 10 04:02:21 asp0 ./LaBrea: Activity: 184.108.40.206 2470 -> x.x.x.22 80
Mar 10 04:02:33 asp0 ./LaBrea: Activity: 220.127.116.11 1060 -> x.x.x.21 80
Mar 10 04:02:48 asp0 ./LaBrea: Activity: 18.104.22.168 4684 -> x.x.x.22 80
Mar 10 04:02:51 asp0 ./LaBrea: Activity: 22.214.171.124 4723 ->
126.96.36.199 80 *
Mar 10 04:02:54 asp0 ./LaBrea: Activity: 188.8.131.52 3999 -> x.x.x.22 80
Mar 10 04:03:35 asp0 ./LaBrea: Activity: 184.108.40.206 1606 -> x.x.x.21 80 *
Mar 10 04:03:56 asp0 ./LaBrea: Activity: 220.127.116.11 3820 -> x.x.x.21 80
Mar 10 04:03:57 asp0 ./LaBrea: Activity: 18.104.22.168 4242 -> x.x.x.21 80 *
Mar 10 04:04:00 asp0 ./LaBrea: Activity: 22.214.171.124 4656 -> x.x.x.22 80
Mar 10 04:04:59 asp0 ./LaBrea: Capturing: x.x.x.22
Mar 10 04:05:03 asp0 ./LaBrea: Activity: 126.96.36.199 4242 -> x.x.x.21 80 *
Mar 10 04:06:09 asp0 ./LaBrea: Activity: 188.8.131.52 4242 -> x.x.x.21 80
Mar 10 04:06:22 asp0 ./LaBrea: Activity: 184.108.40.206 2470 -> x.x.x.22 80*
Mar 10 04:06:33 asp0 ./LaBrea: Activity: 220.127.116.11 1060 -> x.x.x.21 80
Mar 10 04:06:49 asp0 ./LaBrea: Activity: 18.104.22.168 4684 -> x.x.x.22 80 *
Mar 10 04:06:55 asp0 ./LaBrea: Activity: 22.214.171.124 3999 -> x.x.x.22 80
Mar 10 08:20:16 asp0 ./LaBrea: Teergrubing: 126.96.36.199 2340 -> x.x.x.22
Mar 10 08:20:16 asp0 ./LaBrea: Activity: 188.8.131.52 2340 -> x.x.x.22 80
Mar 10 08:20:16 asp0 ./LaBrea: Activity: 184.108.40.206 2340 -> x.x.x.22 80 *
All those poor scanners just languishing there... ;-)
Hope that helps!
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
Sent: Tuesday, March 12, 2002 11:19 PM
To: list at dshield.org
Subject: [Dshield] yea Labrea must have moved
I downloaded it several weeks ago. Got the address I originally sent off
the techie sheet.
But www.hackbusters.net looks about right.
everyone should put this on. The web would be a hacker's nightmare. Just
have to figure how to do juussst right.
well at least an old 486 shouldn't cost more than 35.00
Tell me please Tim how to load it just right. Not sure if running it on
a working system is wise. Seems like it should be a standalone venture.
I wouldn't picnic under fly paper would you? I want to stick ALL the
hacks/junk hits and stop all the scanning period, not just catch what
slips through the wall. It's the scanning that's the problem.
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list