[Dshield] Tracking and Reporting Probes
dshield at webfocus.com
Tue Mar 26 20:57:16 GMT 2002
When running Labrea and a Nimda connection comes in it will catch it and
hold it for x amount of time. Now is the Nimda on the other side in a
state were it can not attack any other machine?
What are the Pros & Cons of putting a socket connection into a tarpit for
the source and the target machines?
At 11:45 AM 3/26/2002 -0800, you wrote:
>On Mon, 2002-03-25 at 21:31, James wrote:
> > Questions,
> > *) Should the Extra IP's be lift in limbo? Will never know what kind of
> > attacks/probes that are happening on the 17 IP's.
>I have to agree with Johannes here and say no, they should be logged.
>This is a good indicator of widespread attacks versus random attacks.
>Plus, more for DShield!
> > *) Should a PC with Labrea be placed in the DMZ to act Network connection
> > for the 17 IP's? Can Now Track , Slowdown and monitor now.
>Actually, I went a step further than this while I was playing with
>Labrea. One of our firewalls is a linux box running ipchains(soon to be
>netfilter, thank you Rusty!). I setup this as my second to last rule(the
>last being to simply deny all):
>ipchains -A filters -p tcp -m 999 -j ACCEPT
>Now, at first this seems like madness! But I also added this:
>ipmasqadm mfw -A -m 999 -r unused.sandbox.ip.address
>Then I had a box with an extra NIC just hooked into this one-PC sandbox
>off the firewall(the firewall has 2 extra NIC's), and ran LaBrea on it.
>So, this meant that *every* TCP connection that didn't get caught by the
>"normal traffic" filters would get sent to LaBrea... including attempted
>connections to invalid ports on *valid* IP addresses.
>I had a lot of fun watching all the Nimda's get bogged down in my 50+ IP
>port 80 tarpit(and with most ports, all 64 of my IP's). At one point it
>had approximately 600 seperate port 80 machines locked up in my mediocre
>tarpit. There were always at least 200 or so transient connections. I
>would spend about 30 minutes each week writing emails to
>I turned this off, however, as the logging left much to be desired, and
>well, there's just something scary about running something like this on
>your production IP addresses. When I move back to iptables, I may turn
>this back on selectively.
>Try this setup, and then try nmapping it. On some older versions of
>nmap, it just segfaults. Most of the time it takes *hours* to complete,
>even with miniscule timeouts.
More information about the list