[Dshield] yea LaBrea must have moved

Steven Hull sphull at oanet.com
Thu Mar 14 01:02:55 GMT 2002


Please tell me.....Can I run this on my Win2000 workstation??   I downloaded
the Windows version but not sure about running on my home machine.  I also
am using ZoneAlarm on the same box.  Will it affect anything or will it even
work at all with a Home box w/ZA installed??

Steve

----- Original Message -----
From: "Tim Pierce" <tim at qrsparadigm.com>
To: <list at dshield.org>
Sent: Wednesday, March 13, 2002 7:54 AM
Subject: RE: [Dshield] yea LaBrea must have moved


> No problem Susan. I actually do "picnic under flypaper" ;-) so to speak,
in
> that I run it on the same bastion hosts as my MTAs and VPN servers. It
> consumes very little resources, and because of the proxy arp mechanism by
> which LaBrea works it doesn't draw any extra attention to these machines.
>
> I'm a small fish, having only two /29 blocks to watch over, but still like
> most folks I don't use the majority of my address space. LaBrea only
answers
> arp requests that go unanswered by real machines actually occupying an IP.
> Since these requests are being sent to an IP that I do not advertise any
> sort of service on they could only be scans. LaBrea happily answers these
> requests with just enough traffic to keep that thread of the scanning
> machine "on the hook", and therefore not moving on to scan elsewhere. In
> this way my unused address space goes to good use.
>
> The idea is that if enough folks ran this or something like it then mass
> scans would run out of steam very quickly when the scanning machines run
out
> of resources waiting on replies from machines that aren't actually there
> :-). Aside from the CodeRed scans that inspired Tom Liston to write this
> little nifty, I also pickup all sorts to RPC portmap requests, DNS version
> queries, etc. to machines that don't exist. I gotta admit I derive a
certain
> pleasure from that, knowing that someone out there if being frustrated, or
> wondering what the heck is going on when a portmapper scan that should
take
> only an instant to complete hangs for twenty or thirty minutes if not
> indefinitely.
>
> I am running version 2.2 compiled from source (need to upgrade), and I
start
> it thusly:
> /usr/local/sbin/LaBrea -a -h -v -p 2000 -z -i eth1
>
> On occasion I'll add the -l switch (log to syslog) just to have a look at
> it's activity:
>
> Mar 10 04:02:21 asp0 ./LaBrea: Activity: 67.36.215.58 2470 -> x.x.x.22 80
> Mar 10 04:02:33 asp0 ./LaBrea: Activity: 139.223.139.10 1060 -> x.x.x.21
80
> *
> Mar 10 04:02:48 asp0 ./LaBrea: Activity: 156.17.7.40 4684 -> x.x.x.22 80
> Mar 10 04:02:51 asp0 ./LaBrea: Activity: 194.247.51.173 4723 ->
> 208.255.156.21 80 *
> Mar 10 04:02:54 asp0 ./LaBrea: Activity: 61.159.34.129 3999 -> x.x.x.22 80
> Mar 10 04:03:35 asp0 ./LaBrea: Activity: 64.192.228.49 1606 -> x.x.x.21 80
*
> Mar 10 04:03:56 asp0 ./LaBrea: Activity: 148.204.4.1 3820 -> x.x.x.21 80
> Mar 10 04:03:57 asp0 ./LaBrea: Activity: 194.247.49.86 4242 -> x.x.x.21 80
*
> Mar 10 04:04:00 asp0 ./LaBrea: Activity: 145.7.88.157 4656 -> x.x.x.22 80
> Mar 10 04:04:59 asp0 ./LaBrea: Capturing: x.x.x.22
> Mar 10 04:05:03 asp0 ./LaBrea: Activity: 194.247.49.86 4242 -> x.x.x.21 80
*
> Mar 10 04:06:09 asp0 ./LaBrea: Activity: 194.247.49.86 4242 -> x.x.x.21 80
> Mar 10 04:06:22 asp0 ./LaBrea: Activity: 67.36.215.58 2470 -> x.x.x.22 80*
> Mar 10 04:06:33 asp0 ./LaBrea: Activity: 139.223.139.10 1060 -> x.x.x.21
80
> Mar 10 04:06:49 asp0 ./LaBrea: Activity: 156.17.7.40 4684 -> x.x.x.22 80 *
> Mar 10 04:06:55 asp0 ./LaBrea: Activity: 61.159.34.129 3999 -> x.x.x.22 80
> Mar 10 08:20:16 asp0 ./LaBrea: Teergrubing: 68.55.218.180 2340 -> x.x.x.22
> 80
> Mar 10 08:20:16 asp0 ./LaBrea: Activity: 68.55.218.180 2340 -> x.x.x.22 80
> Mar 10 08:20:16 asp0 ./LaBrea: Activity: 68.55.218.180 2340 -> x.x.x.22 80
*
>
> All those poor scanners just languishing there... ;-)
>
> Hope that helps!
> Tim Pierce
>
> -----Original Message-----
> From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
> Susan
> Sent: Tuesday, March 12, 2002 11:19 PM
> To: list at dshield.org
> Subject: [Dshield] yea Labrea must have moved
>
>
> I downloaded it several weeks ago. Got the address I originally sent off
> the techie sheet.
>
> But www.hackbusters.net looks about right.
>
> everyone should put this on. The web would be a hacker's nightmare. Just
> have to figure how to do juussst right.
>
> well at least an old 486 shouldn't cost more than 35.00
>
> Tell me please Tim how to load it just right. Not sure if running it on
> a working system is wise. Seems like it should be a standalone venture.
> I wouldn't picnic under fly paper would you? I want to stick ALL the
> hacks/junk hits and stop all the scanning period, not just catch what
> slips through the wall. It's the scanning that's the problem.
>
> Thanks,
> Susan
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
>
>
>




More information about the list mailing list