[Dshield] Tracking and Reporting Probes

Bill McCarty bmccarty at apu.edu
Wed Mar 27 06:44:04 GMT 2002


Hi Sue,

Here's the LaBrea traffic I've seen over 2-3 days. Ports 80 and 21 are the 
clear winners on my network. Ports 515 and 8080 are distant runners up. 
Mind you, I have no idea whether my data generalize to other networks.

The distribution by IP address, which I don't include, is also strange. 
Hosts 99 and 217 are more popular by an order of magnitude than their 
peers. I don't know what's special about host 217. The popularity of host 
99 suggests that many would-be hackers haven't heard of binary <grin>.

I'm unsure what you mean by LaBrea protecting a web server. Based on my 
tests, Nmap breaks off a tarpitted scan rather quickly, moving on to the 
next port or host. I presume other scanners do likewise. So, I don't think 
LaBrea does much to thwart them. It does seem very effective against 
programs that attempt an HTTP Get or other input-output apart from mere 
handshakes.

Moreover, I don't see all that many sequential scans. So, putting LaBrea 
below (or above) a sensitive host wouldn't seem that helpful, in my view. 
However, I'd be delighted to hear contrasting views and experience from 
other LaBrea fans <grin>.

Cheers,



Start date: Mar 24 04:13:09
End date:   Mar 26 22:22:39

Count: 7055

Target ports
============
  548:     1
12345:     1
   80:  4112
  515:   538
  113:     2
27374:     1
  111:    33
  443:     1
   23:     7
   22:    55
   21:  2140
 8080:   163
  139:     1

--On Tuesday, March 26, 2002 11:30 AM -0600 Sue Young <smy at gcmlp.com> wrote:

> I'm currently testing LaBrea on one of my extra IP addresses in a DMZ
> that's currently only letting in port 80.  I figured that since the
> scanners tend to scan a range, I'll put labrea in a lower ip than I'm
> going to use for a web server in the future.  That way, the web server
> will be protected by labrea as well as by thorough patching.
>
> Any suggestions on the best ports for labrea to use?  I could have a
> totally open DMZ, but I'd rather just open a few ports.  I'm using the
> @home version until I bother to install a C compiler on the machine and
> compile the real version on 2000.

---------------------------------------------------
Bill McCarty




More information about the list mailing list