[Dshield] which ports does labrea like?

Erick Brockway ebrockway at earthlink.net
Sun Mar 17 18:01:48 GMT 2002

	I was under the impression it listened on port 80, since that's the nature
of nimda and code red attacks. Every connection I've seen was on 80.

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
John Sage
Sent: Sunday, March 17, 2002 3:14 AM
To: list at dshield.org
Cc: pobox2 at pinn.net
Subject: Re: [Dshield] which ports does labrea like?

I don't believe that's a question that has any meaning to LaBrea.

LaBrea doesn't listen on, or to ports.

It listens for ARP requests on unused IP addresses, and attaches
itself to incoming probes to any tcp port.

See: http://www.hackbusters.net/LaBrea/

"SECTION 1 - What is it?

LaBrea is a program that creates a tarpit or, as some have called it,
a "sticky honeypot".  LaBrea takes over unused IP addresses on a
network and creates "virtual machines" that answer to connection
attempts.  LaBrea answers those connection attempts in a way that
causes the machine at the other end to get "stuck", sometimes for a
very long time."


- John
Most people don't type their own logfiles;  but, what do I care?

On Sat, Mar 16, 2002 at 11:49:14PM -0500, Susan wrote:
> Question... Which ports does labrea like to use for optimum performance
> when tarpitting?

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list