[Dshield] Tracking and Reporting Probes

John Hardin johnh at aproposretail.com
Wed Mar 27 16:42:03 GMT 2002

On Tue, 2002-03-26 at 22:44, Bill McCarty wrote:

> I'm unsure what you mean by LaBrea protecting a web server. Based on my 
> tests, Nmap breaks off a tarpitted scan rather quickly, moving on to the 
> next port or host. I presume other scanners do likewise. So, I don't think 
> LaBrea does much to thwart them. 

That's why you tarpit your entire assigned network, which LaBrea does by
default if installed as a standalone host, or you can explicitly do by
combining it with Portsentry as I describe.

Does anybody want to see my logs? They're running 400-500KB/hour since
setting up the tarpit (!) - I will have to see if there's a more
efficient way to log once the host has been tarpitted... 

> It does seem very effective against 
> programs that attempt an HTTP Get or other input-output apart from mere 
> handshakes.

In other words, worms. I expect most of the port 80 traffic is worms,
and this is by far *the* most important traffic to tarpit. 

Does anyone know enough of the details of the FTP scanners to see
whether they attempt to chat on the initial connect, and are thus

> Moreover, I don't see all that many sequential scans. So, putting LaBrea 
> below (or above) a sensitive host wouldn't seem that helpful, in my view. 
> However, I'd be delighted to hear contrasting views and experience from 
> other LaBrea fans <grin>.

No, scanners with half a brain randomize the host numbers. Again, that's
why you want to scan-protect and tarpit your entire assigned network.

John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
 "They [media giants] have no idea how to do business with resourceful
  human beings rather than passive vegetables. So they run to [the]
  government for protection."
                    -- Doc Searls on the SSSCA, in Linux Journal
 49 days until Star Wars episode II: Attack of the Clones

More information about the list mailing list