[Dshield] Tracking and Reporting Probes

Bill McCarty bmccarty at apu.edu
Wed Mar 27 08:18:44 GMT 2002

Oops! I just realized that I failed to make explicit an important 
assumption underlying one of my comments.

If someone uses nmap's TCP scan (-sT) against a LaBrea host, the scan WILL 
be tarpitted. However, if another of nmap's scans is used (specifically 
-sS, -sX, -sF, or -sN), the scan DOESN'T get tarpitted, as no three-way 
handshake occurs. Since the latter types of scans are considered more 
stealthy than a TCP scan, they're more likely to be used. Thus, the very 
type of scan an attacker is likely to choose is one that won't be tarpitted.

Please don't misunderstand this remark as a criticism of LaBrea. A primary 
purpose of LaBrea was to stall TCP connections. It's VERY effective at 
doing so -- that's why I run it <grin>. I don't think LaBrea can, or 
should, be faulted for not stalling connections that haven't been 
consummated, such as those resulting from so-called half-open scans.


Bill McCarty

More information about the list mailing list