[Dshield] Re: picnicking under flypaper

Neil Richardson neilr at ieee.org
Thu Mar 14 18:57:32 GMT 2002

At 09:25 PM 3/13/2002, you wrote:
>I investigated setting up a tar pit on my private little PC, but not only 
>does LaBrea not work over PPP, but Zone Alarm already places unused ports 
>in a "stealth" mode -- meaning that a port scan returns *nothing*, as if 
>the machine doesn't exist.  This, it turns out, takes substantially longer 
>to resolve than a "denied" message and as such slows things down by a 
>factor of 10 or more.  Maybe there's a Linux utility that does a similar 
>thing.  Personally, I'd rather slow people down by being invisible than 
>tempt a DDOS with something like LaBrea.

    My understanding was that LaBrea worked by refusing to acknowledge 
anything after the first two steps in the 3-step TCP handshake process, 
giving the appearance that there was network trouble and counting on the 
probing machine to have a longer timeout for "successful" connections than 
non-successful ones.  Kinda like having an answering machine where it plays 
a 90 second recording of a phone ringing: the connection was successful, 
but the caller doesn't know it; thus, there's no "Denied" message, but no 
connection, either.  In both cases, the caller sits around waiting and 
waiting, and in some cases will try to make the connection again before 
finally giving up.

    In other words: I don't understand your concern that you will invite a 
DDOS attack upon yourself, nor your statement that being in stealth mode 
took longer for each connection than creating an incomplete handshake; 
could you clarify this, please?

-Neil R.

Supreme Lord High Commander and Keeper of the Holy Potato
Random thought for the day:

    A debugged program is one for which you have not yet
    found the conditions that make it fail.
          -- Jerry Ogdin

More information about the list mailing list