[Dshield] Tracking and Reporting Probes

John Hardin johnh at aproposretail.com
Wed Mar 27 16:42:03 GMT 2002


On Tue, 2002-03-26 at 22:44, Bill McCarty wrote:

> I'm unsure what you mean by LaBrea protecting a web server. Based on my 
> tests, Nmap breaks off a tarpitted scan rather quickly, moving on to the 
> next port or host. I presume other scanners do likewise. So, I don't think 
> LaBrea does much to thwart them. 

That's why you tarpit your entire assigned network, which LaBrea does by
default if installed as a standalone host, or you can explicitly do by
combining it with Portsentry as I describe.

Does anybody want to see my logs? They're running 400-500KB/hour since
setting up the tarpit (!) - I will have to see if there's a more
efficient way to log once the host has been tarpitted... 

> It does seem very effective against 
> programs that attempt an HTTP Get or other input-output apart from mere 
> handshakes.

In other words, worms. I expect most of the port 80 traffic is worms,
and this is by far *the* most important traffic to tarpit. 

Does anyone know enough of the details of the FTP scanners to see
whether they attempt to chat on the initial connect, and are thus
tarpit-vulnerable?

> Moreover, I don't see all that many sequential scans. So, putting LaBrea 
> below (or above) a sensitive host wouldn't seem that helpful, in my view. 
> However, I'd be delighted to hear contrasting views and experience from 
> other LaBrea fans <grin>.

No, scanners with half a brain randomize the host numbers. Again, that's
why you want to scan-protect and tarpit your entire assigned network.

-- 
John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 "They [media giants] have no idea how to do business with resourceful
  human beings rather than passive vegetables. So they run to [the]
  government for protection."
                    -- Doc Searls on the SSSCA, in Linux Journal
-----------------------------------------------------------------------
 49 days until Star Wars episode II: Attack of the Clones




More information about the list mailing list