Maybe an addition to this is give random responces to mask what a real OS would produce (after a LONG timeout of course) On Monday 17 September 2001 04:02 pm, you wrote: > For those of you not on the security announcement list from securityfocus, > here's a nice little program which looks pretty sweet. I haven't tried it > yet though. If you go to their site, you can view hosts that have been > "tarpitted" and for how long. > ======================= > > First we slooooowed 'em down... > > ...Now, we're gonna' STOP 'em. > > Announcing: LaBrea 2.0 > > It all started a few weeks ago when we read this innocent little paragraph > in Chapter 22 of Steven's TCP/IP Illustrated, Vol. 1: > > "The characteristic of the persist state that is different from the > retransmission timeout in Chapter 21 is that TCP never gives up sending > window probes. These window probes continue to be sent at 60-second > intervals until the window opens up or either of the applications using the > connection is terminated." > > What a lovely word "NEVER" is.... > > As you may or may not know, LaBrea 1.x is a small Linux-based application > that puts unused IP addresses on your network to use, creating a "tarpit" > which slows down scans of your address space by establishing connections > and forcing inbound connections to time-out. LaBrea automates the process > of "grabbing" unused IP addresses and adding them to its pool of "tarpit" > addresses. > > But now, thanks to the word NEVER, we can take "active defense" to a whole > new level. > > LaBrea is beginning to generate interest in those who know that an active > stance against REAL attackers is necessary to the continued health of the > Internet: > > "LaBrea gives its users a tactical advantage over 'zombie' computers like > those compromised by the Code Red worms. The computer security industry > will find it a very intriguing utility." > -- Rob Rosenberger, editor, Vmyths.com > > **New in LaBrea 2.0** > > When LaBrea is started with the "-p" flag, it will force connection > attempts into the "persist" state. You grab 'em, hold 'em, and NEVER let > 'em go. > > Yes, that's right... I said "*NEVER* LET THEM GO"... > > How does it work? Technical details: The LaBrea "server" software allows > a normal three-way handshake in response to a connect attempt. During the > handshake, the server sets a small (5 byte) TCP window. When the client > sends its first 5 bytes of data, the server responds with a TCP window of 0 > (wait). The client then shifts into the "persist" state, where it sends > what are called "window probe" packets at intervals that increase to a > maximum of 4 minutes for an NT stack. The LaBrea server answers these > probes to hold the client in the persist state. At this point, a > connection can be maintained with a throughput of approximately 1215 bytes > per hour. All of this can be done without maintaining any "state" on the > connections. This vastly simplifies LaBrea's code. > > Because you're holding connections open, and because there is a bandwidth > "cost" associated with doing that, the "-p" option requires that you > specify the maximum bandwidth (in bytes/second) that you want to allocate > to doing this. You set the maximum bandwidth, fire it off, and LaBrea takes > care of the rest. It keeps a 5 minute running window of bandwidth allocated > to holding open connections, and does it's best to keep you at or near the > maximum you allow. > (FYI: 1 byte/second is roughly equal to 3 scanning threads). > > What happens to the threads you don't grab? LaBrea still tarpit's 'em... > just like before. > > Using LaBrea before was a whole lot of fun... Now, it's just incredible. > I've had people ping scanning "virtual machines", running NMap on them, and > even some enterprising folks very interested in the version of BIND that my > LaBrea machines are running. Ladies and gentlemen, we really CAN make a > difference. > > But don't just take my word for it: check it out for yourself. At the > HackBusters site, we have a page showing the current "live" activity in our > very own tarpit. You can see the folks that are just visiting, and you can > also check out a list of the very "special" people that we're hanging onto > INDEFINITELY. While you're there, grab a copy of the source code to > LaBrea, or read our white paper entitled "Welcome to My Tarpit - The > Tactical and Strategic Use of LaBrea." > > While you're looking at the "VIPs" as we're calling them, notice something: > I've held onto some of them for more than 5 days... No, you didn't mis-read > that: *5 DAYS*... And don't be fooled by the fact that everything there > seems to be aimed at port 80. Hackbusters lil' chunk o' IP space just > seems to be sitting in the midst of CodeRed central... LaBrea will capture > anything that tries to initiate a full connection on ANY port. Over the > weekend, we had some Gnutella scanners on the line until they got a clue > and gave up... > > We believe that by using tools like LaBrea, we can actually make a strong > proactive stand to improve the "health" of the Internet. Please consider > setting up a tarpit. Please pass the word to others. > > See: http://www.hackbusters.net > > Questions and comments can be directed to the address on the HackBusters > site. > _______________________________________________ > tclug-list mailing list > tclug-list at mn-linux.org > https://mailman.mn-linux.org/mailman/listinfo/tclug-list -- Jay Kline list at slushpupie.com http://www.slushpupie.com -- You will live a long, healthy, happy life and make bags of money.