[Dshield] Tracking and Reporting Probes
bmccarty at apu.edu
Wed Mar 27 06:44:04 GMT 2002
Here's the LaBrea traffic I've seen over 2-3 days. Ports 80 and 21 are the
clear winners on my network. Ports 515 and 8080 are distant runners up.
Mind you, I have no idea whether my data generalize to other networks.
The distribution by IP address, which I don't include, is also strange.
Hosts 99 and 217 are more popular by an order of magnitude than their
peers. I don't know what's special about host 217. The popularity of host
99 suggests that many would-be hackers haven't heard of binary <grin>.
I'm unsure what you mean by LaBrea protecting a web server. Based on my
tests, Nmap breaks off a tarpitted scan rather quickly, moving on to the
next port or host. I presume other scanners do likewise. So, I don't think
LaBrea does much to thwart them. It does seem very effective against
programs that attempt an HTTP Get or other input-output apart from mere
Moreover, I don't see all that many sequential scans. So, putting LaBrea
below (or above) a sensitive host wouldn't seem that helpful, in my view.
However, I'd be delighted to hear contrasting views and experience from
other LaBrea fans <grin>.
Start date: Mar 24 04:13:09
End date: Mar 26 22:22:39
--On Tuesday, March 26, 2002 11:30 AM -0600 Sue Young <smy at gcmlp.com> wrote:
> I'm currently testing LaBrea on one of my extra IP addresses in a DMZ
> that's currently only letting in port 80. I figured that since the
> scanners tend to scan a range, I'll put labrea in a lower ip than I'm
> going to use for a web server in the future. That way, the web server
> will be protected by labrea as well as by thorough patching.
> Any suggestions on the best ports for labrea to use? I could have a
> totally open DMZ, but I'd rather just open a few ports. I'm using the
> @home version until I bother to install a C compiler on the machine and
> compile the real version on 2000.
More information about the list