* * * * *

                          Once more into the tarpit

It's been a while since I last reported [1] on the Labrea Tarpit [2] we're
running. In the almost two months since I've mentioned it, it's just been
sitting on a shelf, tarpitting away. As I reported back then, it seems that
it's more effective at telling us what's attacking us (IP (Internet Protocol)
address) and where (port number) than actually slowing down the attacks.

Yesterday, Dan the Network Engineer asked if he could get regular reports of
what IP addresses are hitting us hard. So I modified ltpstat [3] to generate
the requested information (I'm not bothering to mask the offending IP
addresses):

Table: Attacking IP addresses
IP Address      Number of “connections”
------------------------------
81.248.42.133   7207
160.79.143.98   846
59.21.72.1      691
216.48.7.19     552
82.76.161.38    487
217.132.178.97  484
193.15.92.167   421
66.131.62.208   370
64.182.81.74    329
216.82.220.172  323

I also had it generate a list of ports being attacked. Again, nothing
surprising here:

Table: Top 6 ports captured by Labrea since the last purge
Port #  Port description        # connections
------------------------------
4899    Remote Administration [4]       8,892
139     NetBIOS (Basic Input/Output System) Session Service     5,081
1433    Microsoft SQL (Standard Query Language) Server  1,644
135     Microsoft-RPC (Remote Procedure Call) service   1,071
445     Microsoft-DS (Directory Service?) Service       914
80      Hypertext Transfer Protocol     850

------------------------------
Port #  Port description        # connections
(Just a note—I was able to generate this data from the existing reports that
ltpstat generated, but pulling just this information out of said reports
required at least three processes per report. It was just as easy to have
just the information required for this to be generated by ltpstat itself)

Dan the Network Engineer is planning on taking these reports and
automatically blocking the offending IP addresses from scanning our network.
Should be a pretty sweet setup once it gets going.

[1] gopher://gopher.conman.org/0Phlog:2006/01/26.3
[2] http://sourceforge.net/projects/labrea
[3] gopher://gopher.conman.org/0Phlog:2006/01/21.2
[4] http://www.famatech.com/

Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.