North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: LaBrea tarpit info and URL

  • From: Roeland Meyer
  • Date: Mon Aug 20 23:37:27 2001

|> From: Patrick Greenwell [mailto:[email protected]]
|> Sent: Sunday, August 19, 2001 6:01 PM
|> 
|> On Sun, 19 Aug 2001, M. David Leonard wrote:
|> 
|> > -------- Original Message --------
|> > From: "Tom Liston" <[email protected]> (by way of Matt Fearnow
|> > <[email protected]>)
|> > Subject: [unisog] New tool: LaBrea
|> > To: [email protected]
|> >
|> > OK folks, the time has come to fight back...
|> >
|> > Following up on my original work on CodeRedneck, I'm 
|> pleased to announce a
|> > new tool to let us *ethically* take a stand.  Come on... 
|> let's build us
|> > some tarpits.
|> 
|> Yawn. So someone adds a timeout to their 
|> scanner/worm/whatever. "Problem"
|> solved.

Didn't we try something like this wrt email address scanners? Only in that
case, we actually tried to poison them. I don't believe that worked very
well either. In addition, it melts down the saint runs you do to manage your
own networks. For various sizes of LANs, this is a problem.

However, a tcp_wrappers boobie-trap mightn't be such a bad idea. It detects
a scan from outside the net-block and tries it's level best to return the
favor with a saint run, reporting whatever it finds. Of course, one needs a
solution for the deadly-embrace problem. Once CodeRed infestation is
confirmed, one has a variety of options.

1) Send demand letter to infested host's owner, to cease and desist.
2) Raise automated blocks, for that host, at your border (adaptive
shielding).
3) Use the CodeRed backdoor to force that host to shutdown, or worse.

However, LaBrea seems useless.