Thank you guys for the feedbacks. LaBrea works the way you all described. Normal port-scan will be done quickly, but a more meaningfull scaning (as browser IE or lynx on http://24.x.x.x:27 will run and wait forever. The log shows that LaBrea is tarpiting too. So I think it is time for me now to install LaBrea officially (saving config, creating the script etc).
Still I have a couple of questions/concerns: 1- Why the number 80000 in -p 80000. From the man page, LaBrea will ensure that the router would use the max bandwidth up to 80K/sec, but is that still too much? Why not 20K or 10K per second? Or maybe because as Simon explained, LaBrea only talks back the 1st time, "I am open", and then does not send anything else. 2- The scanner will send data to the router forever, does that then have any bad impact on the bandwidth of the router. Is the man-page (-p ... First of all, this forces data throttling to 5 bytes (see the "-t" option above) referring to this issue? P.S. Here is the output from running nmap against port 27 [root@rogers mlu]# nmap -p 27 -O 24.x.x.x Starting nmap V. 2.53 by [EMAIL PROTECTED] ( www.insecure.org/nmap/ ) Interesting ports on 24.x.x.x): Port State Service 27/tcp open nsw-fe TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: TSeq(Class=TR) T1(Resp=Y%DF=N%W=5%ACK=S++%Flags=AS%Ops=) T2(Resp=N) T3(Resp=Y%DF=N%W=5%ACK=S++%Flags=AS%Ops=) T4(Resp=N) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) PU(Resp=N) PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=F%ULEN=134%DAT=E) Nmap run completed -- 1 IP address (1 host up) scanned in 15 seconds -----Original Message----- Message: 9 From: "Charles Steinkuehler" <[EMAIL PROTECTED]> To: "Steve Jeppesen" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, "leaf-user" <[EMAIL PROTECTED]> Subject: Re: [Leaf-user] Unused IP's with LaBrea Date: Mon, 4 Mar 2002 09:08:58 -0600 > On the "how do you test", I know mine is working because of all the > "Teergrubing" messages I receive in syslog. It is running on all low > ports <1024 so it catches alot of activity. I have not done it myself, > but maybe a different port scanning service could provide better results > for you. > > GRC is using some new form of scanning your ports, and it is supposed to > be very quick. And because LaBrea is running, it should show your ports > open when you run a scan from GRC...or at least thats what happen to me > going to that scanning site. Anybody else please jump in on this one .. > should our ports be showing open just because we are using LaBrea? That > never happened to me before using LaBrea (using the scanner at GRC) - they > all showed "stealth" status before. Yes, a remote system will see your low ports as "open", but trying to communicate with these ports in any meaningful way will cause the remote system to get "stuck", tying up it's reasources (ie it's "tar-pitted"). The most fun way to test this is using a MS platform...bring up IE and point it at your firewall, on a port that LaBrea will respond to (ie http://<your-IP>:27/). IE will happily open the page, and sit *FOREVER* with the little world spinning, never giving up... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user