[Dshield] Tracking and Reporting Probes

John Hardin johnh at aproposretail.com
Thu Mar 28 22:12:39 GMT 2002

On Thu, 2002-03-28 at 13:43, James wrote:
> >
> >In my case it'd be redundant. The tarpitted packets are already being
> >blocked by the firewall, which gets reported to dshield. In fact,
> >tarpitting is *magnifying* the apparent size of the attack since I'm now
> >reporting all of the subsequent 1-byte packets.
> How is this,  is your firewall Blocking or is Labrea tarpitting?   How can 
> you have both?   maybe I can learn a few tricks here.

LaBrea hooks into the network stack at a very low (raw packet) level,
well below where packet filtering kicks in.

LaBrea receives a TCP packet from the tarpitted host and responds with
the window size games (or not a all), but DOES NOT absorb the incoming
packet. The packet is then bounced by the DENY rule when it reaches that
layer of the network stack.

I've been sending my DENY logs for scanners for a long time now. This
week I added tarpitting them as well...

John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
 "They [media giants] have no idea how to do business with resourceful
  human beings rather than passive vegetables. So they run to [the]
  government for protection."
                    -- Doc Searls on the SSSCA, in Linux Journal
 48 days until Star Wars episode II: Attack of the Clones

More information about the list mailing list