[Dshield] Tracking and Reporting Probes

Clint Byrum cbyrum at erp.com
Thu Mar 28 18:24:10 GMT 2002

On Wed, 2002-03-27 at 17:25, John Hardin wrote:
> On Wed, 2002-03-27 at 16:49, Bill McCarty wrote:
> No, I was actually wondering about how LaBrea responds to a stealth
> scan. I don't suppose there's any reasonable way *to* respond to a
> stealth scan...

Unless I'm mistaken, the "Stealth" scan simply sends a SYN and moves
on.. if it receives a reply later, it notes the port "open". So LaBrea
would show up as a host with all ports open.

> The last couple of days I was under rather heavy attack from what
> appeared to be a couple of Code Red (or similar) infected web servers on
> DSL. At the peak the avg tarpit bandwidth was about 1300 bytes/sec,
> which represents about 3300+ tarpitted connections.
> It's dropped off - I think those systems have been taken offline.
> One interesting thing I noted was that tarpitting them didn't seem to
> slow the attack. They were opening scads and scads of new connections
> pretty much constantly. Maybe the worm was "flood scanning" (parallel
> vs. sequential) and maybe the host was multiply infected.

CodeRed2 opens, IIRC, 300 threads to scan for new hosts in parallel. I
don't recall the number for Nimda, but I'm guessing it is higher. The
theory behind LaBrea is, once you've got all the threads locked up in
LaBrea.. the virus is essentially stalled.

A nice side effect of this is, because the other host isn't infecting
more and more boxes, its not so important that you send reports out
ASAP. Since they're still tied up, you can send them once every few days
or so.

This makes me wonder. I've seen people asking about log analyzers for
LaBrea... is there a LaBrea logs -> DShield format program out there?
Should there be?


Clint Byrum

More information about the list mailing list