Thank you guys for the feedbacks. LaBrea works the way you all described. Normal
port-scan will be done quickly, but a more meaningfull scaning (as browser IE or lynx
on http://24.x.x.x:27 will run and wait forever. The log shows that LaBrea is
tarpiting too. So I think it is time for me now to install LaBrea officially (saving
config, creating the script etc).
Still I have a couple of questions/concerns:
1- Why the number 80000 in -p 80000. From the man page, LaBrea will ensure that the
router would use the max bandwidth up to 80K/sec, but is that still too much? Why not
20K or 10K per second? Or maybe because as Simon explained, LaBrea only talks back the
1st time, "I am open", and then does not send anything else.
2- The scanner will send data to the router forever, does that then have any bad
impact on the bandwidth of the router. Is the man-page (-p ... First of all, this
forces data throttling to 5 bytes (see the "-t" option above) referring to this issue?
P.S. Here is the output from running nmap against port 27
[root@rogers mlu]# nmap -p 27 -O 24.x.x.x
Starting nmap V. 2.53 by [EMAIL PROTECTED] ( www.insecure.org/nmap/ )
Interesting ports on 24.x.x.x):
Port State Service
27/tcp open nsw-fe
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
No OS matches for host (If you know what OS is running on it, see
http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
TSeq(Class=TR)
T1(Resp=Y%DF=N%W=5%ACK=S++%Flags=AS%Ops=)
T2(Resp=N)
T3(Resp=Y%DF=N%W=5%ACK=S++%Flags=AS%Ops=)
T4(Resp=N)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=N)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=F%ULEN=134%DAT=E)
Nmap run completed -- 1 IP address (1 host up) scanned in 15 seconds
-----Original Message-----
Message: 9
From: "Charles Steinkuehler" <[EMAIL PROTECTED]>
To: "Steve Jeppesen" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>,
"leaf-user" <[EMAIL PROTECTED]>
Subject: Re: [Leaf-user] Unused IP's with LaBrea
Date: Mon, 4 Mar 2002 09:08:58 -0600
> On the "how do you test", I know mine is working because of all the
> "Teergrubing" messages I receive in syslog. It is running on all low
> ports <1024 so it catches alot of activity. I have not done it myself,
> but maybe a different port scanning service could provide better results
> for you.
>
> GRC is using some new form of scanning your ports, and it is supposed to
> be very quick. And because LaBrea is running, it should show your ports
> open when you run a scan from GRC...or at least thats what happen to me
> going to that scanning site. Anybody else please jump in on this one ..
> should our ports be showing open just because we are using LaBrea? That
> never happened to me before using LaBrea (using the scanner at GRC) - they
> all showed "stealth" status before.
Yes, a remote system will see your low ports as "open", but trying to
communicate with these ports in any meaningful way will cause the remote
system to get "stuck", tying up it's reasources (ie it's "tar-pitted").
The most fun way to test this is using a MS platform...bring up IE and point
it at your firewall, on a port that LaBrea will respond to (ie
http://<your-IP>:27/). IE will happily open the page, and sit *FOREVER*
with the little world spinning, never giving up...
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
