[Dshield] yea LaBrea must have moved

Tim Pierce tim at qrsparadigm.com
Wed Mar 13 14:54:19 GMT 2002


No problem Susan. I actually do "picnic under flypaper" ;-) so to speak, in
that I run it on the same bastion hosts as my MTAs and VPN servers. It
consumes very little resources, and because of the proxy arp mechanism by
which LaBrea works it doesn't draw any extra attention to these machines.

I'm a small fish, having only two /29 blocks to watch over, but still like
most folks I don't use the majority of my address space. LaBrea only answers
arp requests that go unanswered by real machines actually occupying an IP.
Since these requests are being sent to an IP that I do not advertise any
sort of service on they could only be scans. LaBrea happily answers these
requests with just enough traffic to keep that thread of the scanning
machine "on the hook", and therefore not moving on to scan elsewhere. In
this way my unused address space goes to good use.

The idea is that if enough folks ran this or something like it then mass
scans would run out of steam very quickly when the scanning machines run out
of resources waiting on replies from machines that aren't actually there
:-). Aside from the CodeRed scans that inspired Tom Liston to write this
little nifty, I also pickup all sorts to RPC portmap requests, DNS version
queries, etc. to machines that don't exist. I gotta admit I derive a certain
pleasure from that, knowing that someone out there if being frustrated, or
wondering what the heck is going on when a portmapper scan that should take
only an instant to complete hangs for twenty or thirty minutes if not
indefinitely.

I am running version 2.2 compiled from source (need to upgrade), and I start
it thusly:
/usr/local/sbin/LaBrea -a -h -v -p 2000 -z -i eth1

On occasion I'll add the -l switch (log to syslog) just to have a look at
it's activity:

Mar 10 04:02:21 asp0 ./LaBrea: Activity: 67.36.215.58 2470 -> x.x.x.22 80
Mar 10 04:02:33 asp0 ./LaBrea: Activity: 139.223.139.10 1060 -> x.x.x.21 80
*
Mar 10 04:02:48 asp0 ./LaBrea: Activity: 156.17.7.40 4684 -> x.x.x.22 80
Mar 10 04:02:51 asp0 ./LaBrea: Activity: 194.247.51.173 4723 ->
208.255.156.21 80 *
Mar 10 04:02:54 asp0 ./LaBrea: Activity: 61.159.34.129 3999 -> x.x.x.22 80
Mar 10 04:03:35 asp0 ./LaBrea: Activity: 64.192.228.49 1606 -> x.x.x.21 80 *
Mar 10 04:03:56 asp0 ./LaBrea: Activity: 148.204.4.1 3820 -> x.x.x.21 80
Mar 10 04:03:57 asp0 ./LaBrea: Activity: 194.247.49.86 4242 -> x.x.x.21 80 *
Mar 10 04:04:00 asp0 ./LaBrea: Activity: 145.7.88.157 4656 -> x.x.x.22 80
Mar 10 04:04:59 asp0 ./LaBrea: Capturing: x.x.x.22
Mar 10 04:05:03 asp0 ./LaBrea: Activity: 194.247.49.86 4242 -> x.x.x.21 80 *
Mar 10 04:06:09 asp0 ./LaBrea: Activity: 194.247.49.86 4242 -> x.x.x.21 80
Mar 10 04:06:22 asp0 ./LaBrea: Activity: 67.36.215.58 2470 -> x.x.x.22 80*
Mar 10 04:06:33 asp0 ./LaBrea: Activity: 139.223.139.10 1060 -> x.x.x.21 80
Mar 10 04:06:49 asp0 ./LaBrea: Activity: 156.17.7.40 4684 -> x.x.x.22 80 *
Mar 10 04:06:55 asp0 ./LaBrea: Activity: 61.159.34.129 3999 -> x.x.x.22 80
Mar 10 08:20:16 asp0 ./LaBrea: Teergrubing: 68.55.218.180 2340 -> x.x.x.22
80
Mar 10 08:20:16 asp0 ./LaBrea: Activity: 68.55.218.180 2340 -> x.x.x.22 80
Mar 10 08:20:16 asp0 ./LaBrea: Activity: 68.55.218.180 2340 -> x.x.x.22 80 *

All those poor scanners just languishing there... ;-)

Hope that helps!
Tim Pierce

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
Susan
Sent: Tuesday, March 12, 2002 11:19 PM
To: list at dshield.org
Subject: [Dshield] yea Labrea must have moved


I downloaded it several weeks ago. Got the address I originally sent off
the techie sheet.

But www.hackbusters.net looks about right.

everyone should put this on. The web would be a hacker's nightmare. Just
have to figure how to do juussst right.

well at least an old 486 shouldn't cost more than 35.00

Tell me please Tim how to load it just right. Not sure if running it on
a working system is wise. Seems like it should be a standalone venture.
I wouldn't picnic under fly paper would you? I want to stick ALL the
hacks/junk hits and stop all the scanning period, not just catch what
slips through the wall. It's the scanning that's the problem.

Thanks,
Susan

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list