[Dshield] Tracking and Reporting Probes

Clint Byrum cbyrum at erp.com
Tue Mar 26 19:45:53 GMT 2002


On Mon, 2002-03-25 at 21:31, James wrote:
> 
> 
> Questions,
> *)  Should the Extra IP's be lift in limbo?  Will never know what kind of 
> attacks/probes that are happening on the 17 IP's.

I have to agree with Johannes here and say no, they should be logged.
This is a good indicator of widespread attacks versus random attacks.
Plus, more for DShield!

> 
> *)  Should a PC with Labrea be placed in the DMZ to act Network connection 
> for the 17 IP's?   Can Now Track , Slowdown and monitor now.
> 

Actually, I went a step further than this while I was playing with
Labrea. One of our firewalls is a linux box running ipchains(soon to be
netfilter, thank you Rusty!). I setup this as my second to last rule(the
last being to simply deny all):

ipchains -A filters -p tcp -m 999 -j ACCEPT

Now, at first this seems like madness! But I also added this:

ipmasqadm mfw -A -m 999 -r unused.sandbox.ip.address

Then I had a box with an extra NIC just hooked into this one-PC sandbox
off the firewall(the firewall has 2 extra NIC's), and ran LaBrea on it.
So, this meant that *every* TCP connection that didn't get caught by the
"normal traffic" filters would get sent to LaBrea... including attempted
connections to invalid ports on *valid* IP addresses.

I had a lot of fun watching all the Nimda's get bogged down in my 50+ IP
port 80 tarpit(and with most ports, all 64 of my IP's). At one point it
had approximately 600 seperate port 80 machines locked up in my mediocre
tarpit. There were always at least 200 or so transient connections. I
would spend about 30 minutes each week writing emails to
abuse/security/noc addresses.

I turned this off, however, as the logging left much to be desired, and
well, there's just something scary about running something like this on
your production IP addresses. When I move back to iptables, I may turn
this back on selectively. 

Try this setup, and then try nmapping it. On some older versions of
nmap, it just segfaults. Most of the time it takes *hours* to complete,
even with miniscule timeouts. 

-- 

------------------------------
Clint Byrum
ERP.COM 




More information about the list mailing list