---------- Forwarded Message ----------
Subject: Active defense gets serious: Announcing LaBrea 2.0
Date: Mon, 17 Sep 2001 12:42:34 -0500
From: "Tom Liston" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>
First we slooooowed 'em down...
...Now, we're gonna' STOP 'em.
Announcing: LaBrea 2.0
It all started a few weeks ago when we read this innocent little paragraph in
Chapter 22 of Steven's TCP/IP Illustrated, Vol. 1:
"The characteristic of the persist state that is different from the
retransmission timeout in Chapter 21 is that TCP never gives up sending
window probes. These window probes continue to be sent at 60-second
intervals until the window opens up or either of the applications using the
connection is terminated."
What a lovely word "NEVER" is....
As you may or may not know, LaBrea 1.x is a small Linux-based application
that puts unused IP addresses on your network to use, creating a "tarpit"
which slows down scans of your address space by establishing connections and
forcing inbound connections to time-out. LaBrea automates the process of
"grabbing" unused IP addresses and adding them to its pool of "tarpit"
addresses.
But now, thanks to the word NEVER, we can take "active defense" to a whole
new level.
LaBrea is beginning to generate interest in those who know that an active
stance against REAL attackers is necessary to the continued health of the
Internet:
"LaBrea gives its users a tactical advantage over 'zombie' computers like
those compromised by the Code Red worms. The computer security industry
will find it a very intriguing utility."
-- Rob Rosenberger, editor, Vmyths.com
**New in LaBrea 2.0**
When LaBrea is started with the "-p" flag, it will force connection attempts
into the "persist" state. You grab 'em, hold 'em, and NEVER let 'em go.
Yes, that's right... I said "*NEVER* LET THEM GO"...
How does it work? Technical details: The LaBrea "server" software allows a
normal three-way handshake in response to a connect attempt. During the
handshake, the server sets a small (5 byte) TCP window. When the client
sends its first 5 bytes of data, the server responds with a TCP window of 0
(wait). The client then shifts into the "persist" state, where it sends what
are called "window probe" packets at intervals that increase to a maximum of
4 minutes for an NT stack. The LaBrea server answers these probes to hold
the client in the persist state. At this point, a connection can be
maintained with a throughput of approximately 1215 bytes per hour. All of
this can be done without maintaining any "state" on the connections. This
vastly simplifies LaBrea's code.
Because you're holding connections open, and because there is a bandwidth
"cost" associated with doing that, the "-p" option requires that you specify
the maximum bandwidth (in bytes/second) that you want to allocate to doing
this. You set the maximum bandwidth, fire it off, and LaBrea takes care of
the rest. It keeps a 5 minute running window of bandwidth allocated to
holding open connections, and does it's best to keep you at or near the
maximum you allow. (FYI: 1 byte/second is roughly equal to 3 scanning
threads).
What happens to the threads you don't grab? LaBrea still tarpit's 'em...
just like before.
Using LaBrea before was a whole lot of fun... Now, it's just incredible.
I've had people ping scanning "virtual machines", running NMap on them, and
even some enterprising folks very interested in the version of BIND that my
LaBrea machines are running. Ladies and gentlemen, we really CAN make a
difference.
But don't just take my word for it: check it out for yourself. At the
HackBusters site, we have a page showing the current "live" activity in our
very own tarpit. You can see the folks that are just visiting, and you can
also check out a list of the very "special" people that we're hanging onto
INDEFINITELY. While you're there, grab a copy of the source code to LaBrea,
or read our white paper entitled "Welcome to My Tarpit - The Tactical and
Strategic Use of LaBrea."
While you're looking at the "VIPs" as we're calling them, notice something:
I've held onto some of them for more than 5 days... No, you didn't mis-read
that: *5 DAYS*... And don't be fooled by the fact that everything there
seems to be aimed at port 80. Hackbusters lil' chunk o' IP space just seems
to be sitting in the midst of CodeRed central... LaBrea will capture
anything that tries to initiate a full connection on ANY port. Over the
weekend, we had some Gnutella scanners on the line until they got a clue and
gave up...
We believe that by using tools like LaBrea, we can actually make a strong
proactive stand to improve the "health" of the Internet. Please consider
setting up a tarpit. Please pass the word to others.
See: http://www.hackbusters.net
Questions and comments can be directed to the address on the HackBusters
site.
-------------------------------------------------------
--
Douglas J. Hunley ([EMAIL PROTECTED]) - Linux User #174778
Admin: http://hunley.homeip.net/ Admin: http://linux.nf/
Brainbench Linux Administration Certified
~~ Now offering Linux admin services for the home user ~~
/* Am I fucking pedantic or what? */
2.2.16 /usr/src/linux/drivers/scsi/qlogicpti.h
_______________________________________________
http://linux.nf -- [EMAIL PROTECTED]
Archives, Subscribe, Unsubscribe, Digest, Etc
->http://linux.nf/mailman/listinfo/linux-users
