[Dshield] Re: picnicking under flypaper
neilr at ieee.org
Thu Mar 14 18:57:32 GMT 2002
At 09:25 PM 3/13/2002, you wrote:
>I investigated setting up a tar pit on my private little PC, but not only
>does LaBrea not work over PPP, but Zone Alarm already places unused ports
>in a "stealth" mode -- meaning that a port scan returns *nothing*, as if
>the machine doesn't exist. This, it turns out, takes substantially longer
>to resolve than a "denied" message and as such slows things down by a
>factor of 10 or more. Maybe there's a Linux utility that does a similar
>thing. Personally, I'd rather slow people down by being invisible than
>tempt a DDOS with something like LaBrea.
My understanding was that LaBrea worked by refusing to acknowledge
anything after the first two steps in the 3-step TCP handshake process,
giving the appearance that there was network trouble and counting on the
probing machine to have a longer timeout for "successful" connections than
non-successful ones. Kinda like having an answering machine where it plays
a 90 second recording of a phone ringing: the connection was successful,
but the caller doesn't know it; thus, there's no "Denied" message, but no
connection, either. In both cases, the caller sits around waiting and
waiting, and in some cases will try to make the connection again before
finally giving up.
In other words: I don't understand your concern that you will invite a
DDOS attack upon yourself, nor your statement that being in stealth mode
took longer for each connection than creating an incomplete handshake;
could you clarify this, please?
Supreme Lord High Commander and Keeper of the Holy Potato
Random thought for the day:
A debugged program is one for which you have not yet
found the conditions that make it fail.
-- Jerry Ogdin
More information about the list