[Dshield] labrea listens for ARP

David Dyer-Bennet dd-b at dd-b.net
Mon Mar 18 20:09:40 GMT 2002


Susan <pobox2 at pinn.net> writes:

> I think John is right, it doesn't listen on ports, it listens for ARP
> resquests.  That's the request for a connection coming in via the
> router.

Not quite.  ARP is the protocol used to determine the ethernet address
corresponding to an IP address.  So a new connection to a fictitious
host will be preceded by an ARP request, and LaBrea listens to those
ARP requests (and, importantly, responses).

LaBrea *also* then responds to the actual connection to the port on
the fictitious host.  Any port.  (By default; it's configurable)
Since the entire host is fictitious, it's proper to tarpit all ports
on it. 
-- 
David Dyer-Bennet, dd-b at dd-b.net  /  Ghugle: the Fannish Ghod of Queries
        Book log: http://www.dd-b.net/dd-b/Ouroboros/booknotes/
                 Photos: http://dd-b.lighthunters.net/




More information about the list mailing list