[Dshield] yea LaBrea must have moved

Erick Brockway ebrockway at earthlink.net
Thu Mar 14 02:24:50 GMT 2002


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	If you mean this one;
http://www.hackbusters.net/LaBrea/lbathome.html yes it works at home
very well. I had to run it from the system32 directory where the two
required files were placed for it to find the adapter tho.
	Also, the way the instructions were posted led me to believe my
internet adapter would be listed, but in stead the required .dll
(packet.dll) was what had to be selected for it to work.


- -----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf
Of
Steven Hull
Sent: Wednesday, March 13, 2002 5:03 PM
To: list at dshield.org
Subject: Re: [Dshield] yea LaBrea must have moved


Please tell me.....Can I run this on my Win2000 workstation??   I
downloaded
the Windows version but not sure about running on my home machine.  I
also
am using ZoneAlarm on the same box.  Will it affect anything or will
it even
work at all with a Home box w/ZA installed??

Steve

- ----- Original Message -----
From: "Tim Pierce" <tim at qrsparadigm.com>
To: <list at dshield.org>
Sent: Wednesday, March 13, 2002 7:54 AM
Subject: RE: [Dshield] yea LaBrea must have moved


> No problem Susan. I actually do "picnic under flypaper" ;-) so to
> speak, 
in
> that I run it on the same bastion hosts as my MTAs and VPN servers.
> It consumes very little resources, and because of the proxy arp
> mechanism by which LaBrea works it doesn't draw any extra attention
> to these machines. 
>
> I'm a small fish, having only two /29 blocks to watch over, but
> still like most folks I don't use the majority of my address space.
> LaBrea only 
answers
> arp requests that go unanswered by real machines actually occupying
> an IP. Since these requests are being sent to an IP that I do not
> advertise any sort of service on they could only be scans. LaBrea
> happily answers these requests with just enough traffic to keep
> that thread of the scanning machine "on the hook", and therefore
> not moving on to scan elsewhere. In this way my unused address
> space goes to good use.
>
> The idea is that if enough folks ran this or something like it then
> mass scans would run out of steam very quickly when the scanning
> machines run 
out
> of resources waiting on replies from machines that aren't actually
> there :-). Aside from the CodeRed scans that inspired Tom Liston to
> write this little nifty, I also pickup all sorts to RPC portmap
> requests, DNS version queries, etc. to machines that don't exist. I
> gotta admit I derive a 
certain
> pleasure from that, knowing that someone out there if being
> frustrated, or wondering what the heck is going on when a
> portmapper scan that should 
take
> only an instant to complete hangs for twenty or thirty minutes if
> not indefinitely.
>
> I am running version 2.2 compiled from source (need to upgrade),
> and I 
start
> it thusly:
> /usr/local/sbin/LaBrea -a -h -v -p 2000 -z -i eth1
>
> On occasion I'll add the -l switch (log to syslog) just to have a
> look at it's activity:
>
> Mar 10 04:02:21 asp0 ./LaBrea: Activity: 67.36.215.58 2470 ->
> x.x.x.22 80 Mar 10 04:02:33 asp0 ./LaBrea: Activity: 139.223.139.10
> 1060 -> x.x.x.21 
80
> *
> Mar 10 04:02:48 asp0 ./LaBrea: Activity: 156.17.7.40 4684 ->
> x.x.x.22 80 Mar 10 04:02:51 asp0 ./LaBrea: Activity: 194.247.51.173
> 4723 ->
> 208.255.156.21 80 *
> Mar 10 04:02:54 asp0 ./LaBrea: Activity: 61.159.34.129 3999 ->
> x.x.x.22 80 Mar 10 04:03:35 asp0 ./LaBrea: Activity: 64.192.228.49
> 1606 -> x.x.x.21 80 
*
> Mar 10 04:03:56 asp0 ./LaBrea: Activity: 148.204.4.1 3820 ->
> x.x.x.21 80 Mar 10 04:03:57 asp0 ./LaBrea: Activity: 194.247.49.86
> 4242 -> x.x.x.21 80 
*
> Mar 10 04:04:00 asp0 ./LaBrea: Activity: 145.7.88.157 4656 ->
> x.x.x.22 80 Mar 10 04:04:59 asp0 ./LaBrea: Capturing: x.x.x.22
> Mar 10 04:05:03 asp0 ./LaBrea: Activity: 194.247.49.86 4242 ->
> x.x.x.21 80 
*
> Mar 10 04:06:09 asp0 ./LaBrea: Activity: 194.247.49.86 4242 ->
> x.x.x.21 80 Mar 10 04:06:22 asp0 ./LaBrea: Activity: 67.36.215.58
> 2470 -> x.x.x.22 80* Mar 10 04:06:33 asp0 ./LaBrea: Activity:
> 139.223.139.10 1060 -> x.x.x.21 
80
> Mar 10 04:06:49 asp0 ./LaBrea: Activity: 156.17.7.40 4684 ->
> x.x.x.22 80 * Mar 10 04:06:55 asp0 ./LaBrea: Activity:
> 61.159.34.129 3999 -> x.x.x.22 80 Mar 10 08:20:16 asp0 ./LaBrea:
> Teergrubing: 68.55.218.180 2340 -> x.x.x.22 80
> Mar 10 08:20:16 asp0 ./LaBrea: Activity: 68.55.218.180 2340 ->
> x.x.x.22 80 Mar 10 08:20:16 asp0 ./LaBrea: Activity: 68.55.218.180
> 2340 -> x.x.x.22 80 
*
>
> All those poor scanners just languishing there... ;-)
>
> Hope that helps!
> Tim Pierce
>
> -----Original Message-----
> From: list-admin at dshield.org [mailto:list-admin at dshield.org]On
> Behalf Of Susan
> Sent: Tuesday, March 12, 2002 11:19 PM
> To: list at dshield.org
> Subject: [Dshield] yea Labrea must have moved
>
>
> I downloaded it several weeks ago. Got the address I originally
> sent off the techie sheet.
>
> But www.hackbusters.net looks about right.
>
> everyone should put this on. The web would be a hacker's nightmare.
> Just have to figure how to do juussst right.
>
> well at least an old 486 shouldn't cost more than 35.00
>
> Tell me please Tim how to load it just right. Not sure if running
> it on a working system is wise. Seems like it should be a
> standalone venture. I wouldn't picnic under fly paper would you? I
> want to stick ALL the hacks/junk hits and stop all the scanning
> period, not just catch what slips through the wall. It's the
> scanning that's the problem.
>
> Thanks,
> Susan
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
>
>
>

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPJAJ8ZkmeTuuwg2cEQKcdACcCkCZiTgVSVLwnDa4VfRvdwwlBOgAnjEa
WMP9H9FMocArJSAa+StQPAUp
=D+7f
-----END PGP SIGNATURE-----




More information about the list mailing list