New tool: LaBrea

Tom Liston tliston at premmag.com
Thu Aug 9 14:27:59 GMT 2001


OK folks, the time has come to fight back...

Following up on my original work on CodeRedneck,  I'm pleased to announce a new
tool to let us *ethically* take a stand.  Come on... let's build us some
tarpits.

Announcing: LaBrea

LaBrea is a Linux boot disk, based on the Trinux/Linux distribution
(http://www.trinux.org), combined with the techniques used by CodeRedneck 
to set
up a "tarpit" on your netblock.  Essentially, what LaBrea does is to create
"virtual machines" on your unused IP addresses, firewall them, and then latch
onto any inbound traffic by using TCP/IP's tenacity against anyone who tries to
connect.

You have a bunch of unused IPs?  Here's what you do:

Get yourself an old machine and a generic NIC.  The machine doesn't need to 
be a
barn burner (see below).  Heck, it doesn't even need a hard drive!  LaBrea is
run from a RAM disk.

Hook your old doorstop machine up to the network, somewhere where the
portscanners will be sure to find it...

Download the LaBrea boot disk image from http://www.threenorth.com/LaBrea 
(Many,
*many* thanks to Tim Rushing for hosting this for me!)

Create a real, live boot disk from the image. See instructions at:
http://trinux.sourceforge.net/install.html
(Don't worry... it's easy.  You can do it from Windows or Linux...)

You'll need to pick a main IP address for the LaBrea machine. This IP address
will temporarily need HTTP access to download the packages needed by Trinux to
boot. You'll also need to know the netmask of the IPs you want to use, as well
as your gateway address and the address of a DNS server.

Now, using any text editor, create a list of the IPs (one per line) that you
want to teergrube and save it on the boot floppy under /tux/config as a file
named "LaBrea". (Note: DON'T include the "main" IP address in this list... it
will be taken care of automatically.)

Pop the LaBrea disk into your machine, and boot 'er up.

It *should* recognize your NIC and fire off.  If it doesn't... well, look 
around
at the Trinux site for help.  (I've fired it up on three machines here with
three different NICs and it recognized every one of them...)

It'll ask you some questions.  First of all, DON'T DO DHCP ADDRESS RESOLUTION.
It won't work, I disabled it, but I didn't feel like digging through the 
innards
of the Trinux boot disk to remove the question.  So just don't do it... OK?
Since it can't use DHCP, here's where you'll need to know the IP address,
netmask, gateway, etc... (Remember?  I told you that you'd need to know 
that...)

Answer the questions, and the boot disk will set up the network connection and
then it'll go out and grab any additional files that it needs to set up and 
run.
The machine will then alias itself to all of the IPs that you listed. It will
use iptables to DROP all inbound TCP connections, and then it will launch 
LaBrea
to teergrube ALL connection attempts to those IP addresses.

*ALL* TCP CONNECTION ATTEMPTS.  ON **EVERY** PORT.  :-) :-) :-)

To make the process more automatic the next time you boot, drop into BASH and
run the command "savecfg".  That'll save your IP address, netmask, etc... back
out to the floppy so it won't have to ask you about it if you reboot.

How well does it work?  Well, currently I have a 50 IP "tarpit" running on an
old Pentium 233 that was sitting around without a HDD.  From the logfiles, I
pulled the following information after booting it up and running it for 
about 45
minutes.  I picked a pretty generic 10 minute "chunk" of time and followed all
of the initial connections that came in:

During my 10 minute sample, I had 54 inbound connections.  Now remember, these
are previously *UNUSED* IP addresses.  There is no reason for anything to come
after them.  All inbound connections were to port 80. (Gee, I wonder what 
that's
from ;-)

I held onto those 54 connections for an average of 1 minute 41 seconds each.
Therefore, in that 10 minute period, I wasted 1 hour 30 minutes and 32 seconds
of CodeRed scanning time.  But folks, CodeRed is running on NT, and NT has a
*short* TCP time out.  What this does to CodeRed connections ain't nothin'
compared to what it'll do to a Linux based RPCPortmapper scanner:  TWENTY FOUR
MINUTES a connection!

Did I mention that LaBrea is set up to minimize impact on your network?  Using
TCP window advertisement, LaBrea chokes down the inbound packets to 10 data
bytes each.  Let's see... I held onto that RPC scanner for 24 minutes, and all
he got to send me was 170 bytes of data...

This is fun.... Man, this is fun.  I can't think of a time I've enjoyed my job
more...

Some background:
My original proposal can be found here:
http://www.incidents.org/archives/intrusions/msg01215.html

Mihnea Stoenescu's validation of the idea is described here:
http://www.incidents.org/archives/intrusions/msg01239.html

The announcement of CodeRedneck:
http://www.incidents.org/archives/intrusions/msg01262.html

Many thanks to Mihnea Stoenescu, Donald Smith, and Tim Rushing for all of their
help on this.

-TL



More information about the unisog mailing list