nanog mailing list archives
RE: LaBrea tarpit info and URL
From: Roeland Meyer <rmeyer () mhsc com>
Date: Sun, 19 Aug 2001 21:04:46 -0700
|> From: Patrick Greenwell [mailto:patrick () cybernothing org] |> Sent: Sunday, August 19, 2001 6:01 PM |> |> On Sun, 19 Aug 2001, M. David Leonard wrote: |> |> > -------- Original Message -------- |> > From: "Tom Liston" <tliston () premmag com> (by way of Matt Fearnow |> > <matt () incidents org>) |> > Subject: [unisog] New tool: LaBrea |> > To: unisog () sans org |> > |> > OK folks, the time has come to fight back... |> > |> > Following up on my original work on CodeRedneck, I'm |> pleased to announce a |> > new tool to let us *ethically* take a stand. Come on... |> let's build us |> > some tarpits. |> |> Yawn. So someone adds a timeout to their |> scanner/worm/whatever. "Problem" |> solved. Didn't we try something like this wrt email address scanners? Only in that case, we actually tried to poison them. I don't believe that worked very well either. In addition, it melts down the saint runs you do to manage your own networks. For various sizes of LANs, this is a problem. However, a tcp_wrappers boobie-trap mightn't be such a bad idea. It detects a scan from outside the net-block and tries it's level best to return the favor with a saint run, reporting whatever it finds. Of course, one needs a solution for the deadly-embrace problem. Once CodeRed infestation is confirmed, one has a variety of options. 1) Send demand letter to infested host's owner, to cease and desist. 2) Raise automated blocks, for that host, at your border (adaptive shielding). 3) Use the CodeRed backdoor to force that host to shutdown, or worse. However, LaBrea seems useless.
Current thread:
- LaBrea tarpit info and URL M. David Leonard (Aug 19)
- Re: LaBrea tarpit info and URL Patrick Greenwell (Aug 19)
- RE: LaBrea tarpit info and URL Deepak Jain (Aug 20)
- <Possible follow-ups>
- RE: LaBrea tarpit info and URL Joe Blanchard (Aug 19)
- RE: LaBrea tarpit info and URL Roeland Meyer (Aug 20)
- Re: LaBrea tarpit info and URL Patrick Greenwell (Aug 19)