[Dshield] Tracking and Reporting Probes
bmccarty at apu.edu
Thu Mar 28 00:49:10 GMT 2002
Thanks for the correction. Like you, I use LaBrea to cover all unallocated
IP addresses within my network. I think that's a good idea. Doing so can
even complicate some sorts of spoofing. My intention was merely to point
out that configuring LaBrea on the hosts having an IP address immediately
below that of a sensitive system doesn't do much to protect the sensitive
system. I should have gone on to make the point you added.
Oops! I also notice that my comment below is imprecise. An nmap scan other
than an -sT scan doesn't get tarpitted. So, it's not accurate to write that
nmap breaks off a tarpitted scan. More correctly, in modes other than -sT,
nmap avoids being tarpitted. But, I'm sure you and many others knew what I
meant and kindly overlooked the inaccuracy.
I would be very curious to see the probe volume or LaBrea bandwith you and
others experience. I'd like to have some handle on the relative volume of
threats I see.
I got the following data by grepping, cutting, sorting, and wcing my system
log. For example, I did "grep '^Mar 26' /var/log/messages | grep 'Initial
Connect' | cut -d ' ' -f 9 | sort -u | wc -l" to get a count of source
Yesterday, I saw 2,285 initial connects by 84 hosts against my LaBrea zoo,
attacking a total of 244 LaBrea hosts, which is -- I think -- the entire
population. Only three ports were attacked: 21, 80, and 111. Port 80 showed
up 1,429 times, port 21 showed up 823 times, and port 111 showed up 33
I don't generally track LaBrea bandwidth via the -b option, because -- as
you mention -- LaBrea generates a lot of log traffic. However, I've
restarted LaBrea using that mode and will capture a day or two of activity.
So far, it seems to be hovering around 45 bytes/second. But, that's almost
4 MB/day of busy signal for would-be hackers <grin>.
--On Wednesday, March 27, 2002 8:42 AM -0800 John Hardin
<johnh at aproposretail.com> wrote:
>> I'm unsure what you mean by LaBrea protecting a web server. Based on my
>> tests, Nmap breaks off a tarpitted scan rather quickly, moving on to the
>> next port or host. I presume other scanners do likewise. So, I don't
>> think LaBrea does much to thwart them.
> That's why you tarpit your entire assigned network....
More information about the list