Assuming you are using Rogers (canada) you should have a theoretical downstream pipe of 300K /s (but you'll probably get more like 120K/s - 230K/s) 80K/s is the max threshold I use - and I've never even come near it - but you can change it accordingly...
S >From: "MLU " <[EMAIL PROTECTED]> >Reply-To: <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >CC: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, ><[EMAIL PROTECTED]> >Subject: Re: [Leaf-user] Unused IP's with LaBrea >Date: Mon, 4 Mar 2002 10:34:58 -0800 > >Thank you guys for the feedbacks. LaBrea works the way you all described. >Normal port-scan will be done quickly, but a more meaningfull scaning (as >browser IE or lynx on http://24.x.x.x:27 will run and wait forever. The log >shows that LaBrea is tarpiting too. So I think it is time for me now to >install LaBrea officially (saving config, creating the script etc). > >Still I have a couple of questions/concerns: > >1- Why the number 80000 in -p 80000. From the man page, LaBrea will ensure >that the router would use the max bandwidth up to 80K/sec, but is that >still too much? Why not 20K or 10K per second? Or maybe because as Simon >explained, LaBrea only talks back the 1st time, "I am open", and then does >not send anything else. > >2- The scanner will send data to the router forever, does that then have >any bad impact on the bandwidth of the router. Is the man-page (-p ... >First of all, this forces data throttling to 5 bytes (see the "-t" option >above) referring to this issue? > >P.S. Here is the output from running nmap against port 27 > >[root@rogers mlu]# nmap -p 27 -O 24.x.x.x > >Starting nmap V. 2.53 by [EMAIL PROTECTED] ( www.insecure.org/nmap/ ) >Interesting ports on 24.x.x.x): >Port State Service >27/tcp open nsw-fe > >TCP Sequence Prediction: Class=truly random > Difficulty=9999999 (Good luck!) >No OS matches for host (If you know what OS is running on it, see >http://www.insecure.org/cgi-bin/nmap-submit.cgi). >TCP/IP fingerprint: >TSeq(Class=TR) >T1(Resp=Y%DF=N%W=5%ACK=S++%Flags=AS%Ops=) >T2(Resp=N) >T3(Resp=Y%DF=N%W=5%ACK=S++%Flags=AS%Ops=) >T4(Resp=N) >T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) >T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) >T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) >PU(Resp=N) >PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=F%ULEN=134%DAT=E) > >Nmap run completed -- 1 IP address (1 host up) scanned in 15 seconds > > >-----Original Message----- >Message: 9 >From: "Charles Steinkuehler" <[EMAIL PROTECTED]> >To: "Steve Jeppesen" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, > "leaf-user" <[EMAIL PROTECTED]> >Subject: Re: [Leaf-user] Unused IP's with LaBrea >Date: Mon, 4 Mar 2002 09:08:58 -0600 > > > On the "how do you test", I know mine is working because of all the > > "Teergrubing" messages I receive in syslog. It is running on all low > > ports <1024 so it catches alot of activity. I have not done it myself, > > but maybe a different port scanning service could provide better results > > for you. > > > > GRC is using some new form of scanning your ports, and it is supposed to > > be very quick. And because LaBrea is running, it should show your ports > > open when you run a scan from GRC...or at least thats what happen to me > > going to that scanning site. Anybody else please jump in on this one .. > > should our ports be showing open just because we are using LaBrea? That > > never happened to me before using LaBrea (using the scanner at GRC) - >they > > all showed "stealth" status before. > >Yes, a remote system will see your low ports as "open", but trying to >communicate with these ports in any meaningful way will cause the remote >system to get "stuck", tying up it's reasources (ie it's "tar-pitted"). > >The most fun way to test this is using a MS platform...bring up IE and >point >it at your firewall, on a port that LaBrea will respond to (ie >http://<your-IP>:27/). IE will happily open the page, and sit *FOREVER* >with the little world spinning, never giving up... > >Charles Steinkuehler >http://lrp.steinkuehler.net >http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > >_______________________________________________ >Leaf-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
