RE: Fwd: Active defense gets serious: Announcing LaBrea 2.0
It will only work with unused ip Addresses. -Original Message- From: Jerry McBride Sent: Wed 9/19/2001 5:56 AM To: [EMAIL PROTECTED] Cc: Subject: Re: Fwd: Active defense gets serious: Announcing LaBrea 2.0 On Wed, 19 Sep 2001 07:57:35 -0400 "DOUGLAS HUNLEY" <[EMAIL PROTECTED]> wrote: > what does everyone think of this? > I'm confused as usual... Does LaBrea require an unused ip to work or will it defend an ip that actively being used? I set it up on my home lan, on the server. It didn't appear to "capture" anything except my imagination. :') So... how about a HOW-TO for us to busy to RTFM? -- ** Registered Linux User Number 185956 http://groups.google.com/groups?hl=en&safe=off&group=linux 5:50pm up 16 days, 4:57, 7 users, load average: 0.11, 0.05, 0.01 ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc ->http://linux.nf/mailman/listinfo/linux-users ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc ->http://linux.nf/mailman/listinfo/linux-users
Re: Fwd: Active defense gets serious: Announcing LaBrea 2.0
On Wed, 19 Sep 2001 07:57:35 -0400 "DOUGLAS HUNLEY" <[EMAIL PROTECTED]> wrote: > what does everyone think of this? > I'm confused as usual... Does LaBrea require an unused ip to work or will it defend an ip that actively being used? I set it up on my home lan, on the server. It didn't appear to "capture" anything except my imagination. :') So... how about a HOW-TO for us to busy to RTFM? -- ** Registered Linux User Number 185956 http://groups.google.com/groups?hl=en&safe=off&group=linux 5:50pm up 16 days, 4:57, 7 users, load average: 0.11, 0.05, 0.01 ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc ->http://linux.nf/mailman/listinfo/linux-users
Re: Fwd: Active defense gets serious: Announcing LaBrea 2.0
Quoting dep <[EMAIL PROTECTED]>: > On Wednesday 19 September 2001 07:57, DOUGLAS HUNLEY wrote: > | what does everyone think of this? > > i think it's highly cool in concept; a friend is setting it up on his > lab rat to see if it is cool in reality. Am I understanding this correctly? This is something that is more for use by ISP's, hosting providers and other admins of networks with large numbers of internet exposed machines isn't it. There wouldn't be much use applying this to a NAT connected network of any size large or small would there? -- Linux SxS [http://hal.humberc.on.ca/~mrcn0031/sxs/] ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc ->http://linux.nf/mailman/listinfo/linux-users
Re: Fwd: Active defense gets serious: Announcing LaBrea 2.0
I guess this is only within the lower 1024 ports, right? I feel dumb asking, but I want to be sure I understand what is going on. Currently, if I don't have a listener on such a port, connections do little to me. So, what I am doing here is not so much protecting my system as making life hell for possible intruders by tying up their resources (and my 'unused port' resources). If they access a port I really am using, this is outside what LaBrea deals with. Right? -- = Roger Oberholtzer E-mail:[EMAIL PROTECTED] OPQ Systems AB WWW: http://www.opq.se Erik Dahlbergsgatan 41-43 Phone: Int + 46 8 314223 115 32 Stockholm Mobile: Int + 46 733 621657 Sweden Fax: Int + 46 8 302602 ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc ->http://linux.nf/mailman/listinfo/linux-users
Re: Fwd: Active defense gets serious: Announcing LaBrea 2.0
On Wednesday 19 September 2001 07:57, DOUGLAS HUNLEY wrote: | what does everyone think of this? i think it's highly cool in concept; a friend is setting it up on his lab rat to see if it is cool in reality. -- dep There is sobbing of the strong, And a pall upon the land; But the People in their weeping Bare the iron hand; Beware the People weeping When they bare the iron hand. ___ http://linux.nf -- [EMAIL PROTECTED] Archives, Subscribe, Unsubscribe, Digest, Etc ->http://linux.nf/mailman/listinfo/linux-users
Fwd: Active defense gets serious: Announcing LaBrea 2.0
what does everyone think of this? -- begin forwarded msg — Subject: Active defense gets serious: Announcing LaBrea 2.0 Date: Mon, 17 Sep 2001 12:42:34 -0500 From: "Tom Liston" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> First we slowed 'em down... ...Now, we're gonna' STOP 'em. Announcing: LaBrea 2.0 It all started a few weeks ago when we read this innocent little paragraph in Chapter 22 of Steven's TCP/IP Illustrated, Vol. 1: "The characteristic of the persist state that is different from the retransmission timeout in Chapter 21 is that TCP never gives up sending window probes. These window probes continue to be sent at 60-second intervals until the window opens up or either of the applications using the connection is terminated." What a lovely word "NEVER" is As you may or may not know, LaBrea 1.x is a small Linux-based application that puts unused IP addresses on your network to use, creating a "tarpit" which slows down scans of your address space by establishing connections and forcing inbound connections to time-out. LaBrea automates the process of "grabbing" unused IP addresses and adding them to its pool of "tarpit" addresses. But now, thanks to the word NEVER, we can take "active defense" to a whole new level. LaBrea is beginning to generate interest in those who know that an active stance against REAL attackers is necessary to the continued health of the Internet: "LaBrea gives its users a tactical advantage over 'zombie' computers like those compromised by the Code Red worms. The computer security industry will find it a very intriguing utility." -- Rob Rosenberger, editor, Vmyths.com **New in LaBrea 2.0** When LaBrea is started with the "-p" flag, it will force connection attempts into the "persist" state. You grab 'em, hold 'em, and NEVER let 'em go. Yes, that's right... I said "*NEVER* LET THEM GO"... How does it work? Technical details: The LaBrea "server" software allows a normal three-way handshake in response to a connect attempt. During the handshake, the server sets a small (5 byte) TCP window. When the client sends its first 5 bytes of data, the server responds with a TCP window of 0 (wait). The client then shifts into the "persist" state, where it sends what are called "window probe" packets at intervals that increase to a maximum of 4 minutes for an NT stack. The LaBrea server answers these probes to hold the client in the persist state. At this point, a connection can be maintained with a throughput of approximately 1215 bytes per hour. All of this can be done without maintaining any "state" on the connections. This vastly simplifies LaBrea's code. Because you're holding connections open, and because there is a bandwidth "cost" associated with doing that, the "-p" option requires that you specify the maximum bandwidth (in bytes/second) that you want to allocate to doing this. You set the maximum bandwidth, fire it off, and LaBrea takes care of the rest. It keeps a 5 minute running window of bandwidth allocated to holding open connections, and does it's best to keep you at or near the maximum you allow. (FYI: 1 byte/second is roughly equal to 3 scanning threads). What happens to the threads you don't grab? LaBrea still tarpit's 'em... just like before. Using LaBrea before was a whole lot of fun... Now, it's just incredible. I've had people ping scanning "virtual machines", running NMap on them, and even some enterprising folks very interested in the version of BIND that my LaBrea machines are running. Ladies and gentlemen, we really CAN make a difference. But don't just take my word for it: check it out for yourself. At the HackBusters site, we have a page showing the current "live" activity in our very own tarpit. You can see the folks that are just visiting, and you can also check out a list of the very "special" people that we're hanging onto INDEFINITELY. While you're there, grab a copy of the source code to LaBrea, or read our white paper entitled "Welcome to My Tarpit - The Tactical and Strategic Use of LaBrea." While you're looking at the "VIPs" as we're calling them, notice something: I've held onto some of them for more than 5 days... No, you didn't mis-read that: *5 DAYS*... And don't be fooled by the fact that everything there seems to be aimed at port 80. Hackbusters lil' chunk o' IP space just seems to be sitting in the midst of CodeRed central... LaBrea will capture anything that tries to initiate a full connection on ANY port. Over the weekend, we had some Gnutella scanners on the line until they got a clue and gave up... We believe that by using tools like LaBrea, we can actually make a strong proactive stand to improve the "health" of the Internet. Please consider setting up a tarpit. Please pass the word to others. See: http://www.hackbusters.net Questions and comments can be directed to the address on the HackBusters site.
Fwd: Active defense gets serious: Announcing LaBrea 2.0
-- Forwarded Message -- Subject: Active defense gets serious: Announcing LaBrea 2.0 Date: Mon, 17 Sep 2001 12:42:34 -0500 From: "Tom Liston" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> First we slowed 'em down... ...Now, we're gonna' STOP 'em. Announcing: LaBrea 2.0 It all started a few weeks ago when we read this innocent little paragraph in Chapter 22 of Steven's TCP/IP Illustrated, Vol. 1: "The characteristic of the persist state that is different from the retransmission timeout in Chapter 21 is that TCP never gives up sending window probes. These window probes continue to be sent at 60-second intervals until the window opens up or either of the applications using the connection is terminated." What a lovely word "NEVER" is As you may or may not know, LaBrea 1.x is a small Linux-based application that puts unused IP addresses on your network to use, creating a "tarpit" which slows down scans of your address space by establishing connections and forcing inbound connections to time-out. LaBrea automates the process of "grabbing" unused IP addresses and adding them to its pool of "tarpit" addresses. But now, thanks to the word NEVER, we can take "active defense" to a whole new level. LaBrea is beginning to generate interest in those who know that an active stance against REAL attackers is necessary to the continued health of the Internet: "LaBrea gives its users a tactical advantage over 'zombie' computers like those compromised by the Code Red worms. The computer security industry will find it a very intriguing utility." -- Rob Rosenberger, editor, Vmyths.com **New in LaBrea 2.0** When LaBrea is started with the "-p" flag, it will force connection attempts into the "persist" state. You grab 'em, hold 'em, and NEVER let 'em go. Yes, that's right... I said "*NEVER* LET THEM GO"... How does it work? Technical details: The LaBrea "server" software allows a normal three-way handshake in response to a connect attempt. During the handshake, the server sets a small (5 byte) TCP window. When the client sends its first 5 bytes of data, the server responds with a TCP window of 0 (wait). The client then shifts into the "persist" state, where it sends what are called "window probe" packets at intervals that increase to a maximum of 4 minutes for an NT stack. The LaBrea server answers these probes to hold the client in the persist state. At this point, a connection can be maintained with a throughput of approximately 1215 bytes per hour. All of this can be done without maintaining any "state" on the connections. This vastly simplifies LaBrea's code. Because you're holding connections open, and because there is a bandwidth "cost" associated with doing that, the "-p" option requires that you specify the maximum bandwidth (in bytes/second) that you want to allocate to doing this. You set the maximum bandwidth, fire it off, and LaBrea takes care of the rest. It keeps a 5 minute running window of bandwidth allocated to holding open connections, and does it's best to keep you at or near the maximum you allow. (FYI: 1 byte/second is roughly equal to 3 scanning threads). What happens to the threads you don't grab? LaBrea still tarpit's 'em... just like before. Using LaBrea before was a whole lot of fun... Now, it's just incredible. I've had people ping scanning "virtual machines", running NMap on them, and even some enterprising folks very interested in the version of BIND that my LaBrea machines are running. Ladies and gentlemen, we really CAN make a difference. But don't just take my word for it: check it out for yourself. At the HackBusters site, we have a page showing the current "live" activity in our very own tarpit. You can see the folks that are just visiting, and you can also check out a list of the very "special" people that we're hanging onto INDEFINITELY. While you're there, grab a copy of the source code to LaBrea, or read our white paper entitled "Welcome to My Tarpit - The Tactical and Strategic Use of LaBrea." While you're looking at the "VIPs" as we're calling them, notice something: I've held onto some of them for more than 5 days... No, you didn't mis-read that: *5 DAYS*... And don't be fooled by the fact that everything there seems to be aimed at port 80. Hackbusters lil' chunk o' IP space just seems to be sitting in the midst of CodeRed central... LaBrea will capture anything that tries to initiate a full connection on ANY port. Over the weekend, we had some Gnutella scanners on the line until they got a clue and gave up... We believe that by using tools like LaBrea, we can actually make a strong proactive stand to improve the "health" of the Internet. Please consider setting up a tarpit. Please pass the word to others. See: http://www.hackbusters.net Questions and comments can be directed to the address on the HackBusters site. ---
