* * * * *
Oh, it's still useful, just not as useful as I expected
By using ltpstat [1] I've been able to see that the LaBrea tarpit [2] isn't
quite as effective as I first thought. Yes, it does slow down scans, but not
quite as much as one thinks. I'm guessing that scanning software now includes
the “timeout” concept—if a connection takes too long, drop the connection and
move on.
A few days ago I added a feature to ltpstat to remove entries that have not
seen any activity for over an hour (default setting). After running the
tarpit for over a day, I see the following stats:
> Jan 27 01:57:08 ltp ltp-report: Start: Wed Jan 25 17:27:55 2006 End: Fri Jan 27 01:57:08 2006 Running time: 1d 8h 29m 13s
> Jan 27 01:57:08 ltp ltp-report: Pool-max: 1048576
> Jan 27 01:57:08 ltp ltp-report: Pool-num: 107287
> Jan 27 01:57:08 ltp ltp-report: Rec-max: 1048576
> Jan 27 01:57:08 ltp ltp-report: Rec-num: 107287
> Jan 27 01:57:08 ltp ltp-report: UIP-max: 1048576
> Jan 27 01:57:08 ltp ltp-report: UIP-num: 2558
> Jan 27 01:57:08 ltp ltp-report: Reported-bandwidth: 32 (Kb/sec)
>
Okay, I've “captured” 107,287 connections. But how many of those are still
active?
> Jan 27 01:58:32 ltp ltp-report: Removing records with no activity for the past 1h
> Jan 27 01:58:32 ltp ltp-report: ... keeping 11180 records with activity since Fri Jan 27 00:58:31 2006
>
Well then. Over 96,000 connections were no longer “active” and of the 2,558
machines doing the scanning, some 2,200 had moved on.
So it looks like the LaBrea tar pit is really only useful to see what's being
attacked, and which machines on the Internet are really doing the attacking
(so far, 24.73.129.197 seems to be quite tenacious in scanning).
And the ports being scanned? Again, it's the Microsoft specific ports as
usual. No use making a chart this time.
[1]
gopher://gopher.conman.org/0Phlog:2006/01/21.2
[2]
http://sourceforge.net/projects/labrea
Email author at
[email protected]
