[Dshield] Tracking and Reporting Probes

Bill McCarty bmccarty at apu.edu
Thu Mar 28 00:49:10 GMT 2002


Hi John,

Thanks for the correction. Like you, I use LaBrea to cover all unallocated 
IP addresses within my network. I think that's a good idea. Doing so can 
even complicate some sorts of spoofing. My intention was merely to point 
out that configuring LaBrea on the hosts having an IP address immediately 
below that of a sensitive system doesn't do much to protect the sensitive 
system. I should have gone on to make the point you added.

Oops! I also notice that my comment below is imprecise. An nmap scan other 
than an -sT scan doesn't get tarpitted. So, it's not accurate to write that 
nmap breaks off a tarpitted scan. More correctly, in modes other than -sT, 
nmap avoids being tarpitted. But, I'm sure you and many others knew what I 
meant and kindly overlooked the inaccuracy.

I would be very curious to see the probe volume or LaBrea bandwith you and 
others experience. I'd like to have some handle on the relative volume of 
threats I see.

I got the following data by grepping, cutting, sorting, and wcing my system 
log. For example, I did "grep '^Mar 26' /var/log/messages | grep 'Initial 
Connect' | cut -d ' ' -f 9 | sort -u | wc -l" to get a count of source 
hosts.

Yesterday, I saw 2,285 initial connects by 84 hosts against my LaBrea zoo, 
attacking a total of 244 LaBrea hosts, which is -- I think -- the entire 
population. Only three ports were attacked: 21, 80, and 111. Port 80 showed 
up 1,429 times, port 21 showed up 823 times, and port 111 showed up 33 
times.

I don't generally track LaBrea bandwidth via the -b option, because -- as 
you mention -- LaBrea generates a lot of log traffic. However, I've 
restarted LaBrea using that mode and will capture a day or two of activity. 
So far, it seems to be hovering around 45 bytes/second. But, that's almost 
4 MB/day of busy signal for would-be hackers <grin>.

Cheers,

--On Wednesday, March 27, 2002 8:42 AM -0800 John Hardin 
<johnh at aproposretail.com> wrote:

>> I'm unsure what you mean by LaBrea protecting a web server. Based on my
>> tests, Nmap breaks off a tarpitted scan rather quickly, moving on to the
>> next port or host. I presume other scanners do likewise. So, I don't
>> think  LaBrea does much to thwart them.
>
> That's why you tarpit your entire assigned network....

---------------------------------------------------
Bill McCarty




More information about the list mailing list