* * * * *
Slogging through the 'pit
Today was the first day I ran the Labrea tarpit on the network [1]. I almost
didn't leave the office since the results were most interesting. The first
hour it ran (from 19:04:31 Eastern to 20:04:31) it “pitted” 9,309 connections
from 865 unique IP (Internet Protocol)s. And the ports involved:
Table: Ports captured during a Labrea run of one hour
Port # Port description # connections
------------------------------
135 Microsoft-RPC (Remote Procedure Call) service 4,996
445 Microsoft-DS (Directory Service?) Service 3,724
139 NetBIOS (Basic Input/Output System) Session Service 295
22 Secure Shell Login 231
80 Hypertext Transport Protocol 62
6348 unassigned (possible worm?) 1
That Microsoft specific ports are at the top of the list are totally
unexpected here.
I did learn a few things about LaBrea though. One, it only works on a single
netblock. Unfortunately for us at The Company, we have several network blocks
to worry about and that means either a few machines running this, or several
instances (and given that LaBrea puts the network interface in promiscuous
mode, I'm not sure how multiple instances would react with each other on the
same interface) on different interfaces on one box.
Two, the network block does not have to match the network block the actual
system is in, which saves an unsused IP address (ha ha).
A puzzling thing though. I got home, it was still running. I checked back a
few hours later, and nothing past 20:21:17. LaBrea was still running, but
either we captured all that could be captured, or something else was up.
Or down, as it turned out.
The interface that LaBrea was running on just died. I don't know if the
switch doesn't like it (unlikely), the network cable is bad (could be—I did
make the cable) or the interface just blew up (also a possibility). Even a
reboot of the system didn't fix the problem. I'm hoping it's just the cable.
[1]
gopher://gopher.conman.org/0Phlog:2006/01/04.2
Email author at
[email protected]
