[Dshield] Tracking and Reporting Probes

John Hardin johnh at aproposretail.com
Thu Mar 28 01:25:19 GMT 2002


On Wed, 2002-03-27 at 16:49, Bill McCarty wrote:

> Oops! I also notice that my comment below is imprecise. An nmap scan other 
> than an -sT scan doesn't get tarpitted. So, it's not accurate to write that 
> nmap breaks off a tarpitted scan. More correctly, in modes other than -sT, 
> nmap avoids being tarpitted. But, I'm sure you and many others knew what I 
> meant and kindly overlooked the inaccuracy.

No, I was actually wondering about how LaBrea responds to a stealth
scan. I don't suppose there's any reasonable way *to* respond to a
stealth scan...

> I got the following data by grepping, cutting, sorting, and wcing my system 
> log. For example, I did "grep '^Mar 26' /var/log/messages | grep 'Initial 
> Connect' | cut -d ' ' -f 9 | sort -u | wc -l" to get a count of source 
> hosts.

Anybody want to take a hack at a LaBrea log analyzer?

> I don't generally track LaBrea bandwidth via the -b option, because -- as 
> you mention -- LaBrea generates a lot of log traffic. However, I've 
> restarted LaBrea using that mode and will capture a day or two of activity. 
> So far, it seems to be hovering around 45 bytes/second. But, that's almost 
> 4 MB/day of busy signal for would-be hackers <grin>.

BIG grin...

The last couple of days I was under rather heavy attack from what
appeared to be a couple of Code Red (or similar) infected web servers on
DSL. At the peak the avg tarpit bandwidth was about 1300 bytes/sec,
which represents about 3300+ tarpitted connections.

It's dropped off - I think those systems have been taken offline.

One interesting thing I noted was that tarpitting them didn't seem to
slow the attack. They were opening scads and scads of new connections
pretty much constantly. Maybe the worm was "flood scanning" (parallel
vs. sequential) and maybe the host was multiply infected.

-- 
John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 "They [media giants] have no idea how to do business with resourceful
  human beings rather than passive vegetables. So they run to [the]
  government for protection."
                    -- Doc Searls on the SSSCA, in Linux Journal
-----------------------------------------------------------------------
 49 days until Star Wars episode II: Attack of the Clones




More information about the list mailing list