You have to check out this program, if you haven't heard about it already. It grabs unused IP's on your network, and uses them to slow propogation of any random scanning type worm. Rather than simply drop packets, the program completes just enough of a TCP connection to cause the remote computer to think a connection is established, increasing the scanning timeout by orders of magnitude over a simple missing machine. If you're willing to dedicate a bit of outbound bandwidth, as well, it can tie up TCP connections forever, requiruing a reset on the other end, simply by using a small window size and never acknowledging any data (ie the TCP packets get ACK'd, but the program never moves the TCP window, essentially saying "please wait while I process the data you sent me" forever). According to the docs, LaBrea requires approximately 8 bps to hold 3 threads of Code Red, so the bandwith usage is not very high..
Homepage: http://www.hackbusters.net/LaBrea.html Of course, I've already got this running under LRP, and installed on my firewall here. Try, for example, the following: http://216.171.153.186/ I'll be packaging up the program, and posting it on my website soon (I'll post to the list when it's ready for download). Charles Steinkuehler [EMAIL PROTECTED] _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
