I've been using labrea on both a Suse 7.3 Vmware hosted by WinXP, and Trinux http://trinux.sourceforge.net boot disk on a 486 box. Both were used behind a SMC Barricade NAT/firewall router on a cable connection. An unused IP was designated as DMZ. Labrea "captures" unused IP's and makes virtual machines of them. The virtual machines even include a fakes MAC address. Therefore when my cable IP gets scanned, Labrea "teergrubes"/tarpits the scan. From what I've been told, if it is one of the scanning programs that the script kiddies use, then the only way to break the connection is either restart the scanner or the computer.
The most useful part of this for me is the record of the offending IP's that labrea gives me. I contact the ISP of the offender and tell them that they either have an infected box or a malicious action by a user. Also, there are scripts available that automatically send the info to Dshield.org. They can then post the info and notify the offending ISP. Also, IMHO, this type of slowing down of scans should - over time - discourage purposeful scanning of IP blocks that stop the simple script kiddie scanners with Labrea. Again, IMHO :) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Hugo Sent: Wednesday, June 05, 2002 4:41 PM To: [EMAIL PROTECTED] Subject: fw and labrea Has anyone used labrea on the network perimeter? I would really appreciate some feedback on that program... which way can it help besides slowing down the scans? Thanks _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
