LaBrea tarpit info and URL

• Previous message (by thread): LaBrea tarpit info and URL
• Next message (by thread): Using 120k BGP routes on the Lucent AP-1000
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

|> From: Patrick Greenwell [mailto:patrick at cybernothing.org]
|> Sent: Sunday, August 19, 2001 6:01 PM
|> 
|> On Sun, 19 Aug 2001, M. David Leonard wrote:
|> 
|> > -------- Original Message --------
|> > From: "Tom Liston" <tliston at premmag.com> (by way of Matt Fearnow
|> > <matt at incidents.org>)
|> > Subject: [unisog] New tool: LaBrea
|> > To: unisog at sans.org
|> >
|> > OK folks, the time has come to fight back...
|> >
|> > Following up on my original work on CodeRedneck, I'm 
|> pleased to announce a
|> > new tool to let us *ethically* take a stand.  Come on... 
|> let's build us
|> > some tarpits.
|> 
|> Yawn. So someone adds a timeout to their 
|> scanner/worm/whatever. "Problem"
|> solved.

Didn't we try something like this wrt email address scanners? Only in that
case, we actually tried to poison them. I don't believe that worked very
well either. In addition, it melts down the saint runs you do to manage your
own networks. For various sizes of LANs, this is a problem.

However, a tcp_wrappers boobie-trap mightn't be such a bad idea. It detects
a scan from outside the net-block and tries it's level best to return the
favor with a saint run, reporting whatever it finds. Of course, one needs a
solution for the deadly-embrace problem. Once CodeRed infestation is
confirmed, one has a variety of options.

1) Send demand letter to infested host's owner, to cease and desist.
2) Raise automated blocks, for that host, at your border (adaptive
shielding).
3) Use the CodeRed backdoor to force that host to shutdown, or worse.

However, LaBrea seems useless.

• Previous message (by thread): LaBrea tarpit info and URL
• Next message (by thread): Using 120k BGP routes on the Lucent AP-1000
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]