[Dshield] Tracking and Reporting Probes

Clint Byrum cbyrum at erp.com
Wed Mar 27 19:56:24 GMT 2002

On Wed, 2002-03-27 at 00:18, Bill McCarty wrote:
> Oops! I just realized that I failed to make explicit an important 
> assumption underlying one of my comments.
> If someone uses nmap's TCP scan (-sT) against a LaBrea host, the scan WILL 
> be tarpitted. However, if another of nmap's scans is used (specifically 
> -sS, -sX, -sF, or -sN), the scan DOESN'T get tarpitted, as no three-way 
> handshake occurs. Since the latter types of scans are considered more 
> stealthy than a TCP scan, they're more likely to be used. Thus, the very 
> type of scan an attacker is likely to choose is one that won't be tarpitted.

I should have been more specific in my explanation also. The TCP Stealth
scan is much more common than others, and doesn't get stalled. However,
it is kinda funny that no matter what port they scan, it will show as
open with this type of scan. If nothing else, its a nice way to confuse
Also, eventually, this will waste a little of their time, as the kiddie
who gets back 2000 hits on their, say, port 515 scan, spends a few
minutes on each of your hosts as LaBrea just sits there keeping their
tcp connection open for as long as they're willing to wait. Though, most
of them probably have a litte ADD and will quickly loose patience. ;-)

I wonder though, since LaBrea uses a raw socket and makes its own
packets, what nmap's OS detection shows. I know Nessus detects LaBrea
... I wonder if the kiddiez/blackhats have caught on to the same
approach yet.

Oh dear, I've started rambling...


Clint Byrum

More information about the list mailing list