Tarpits, slowing down the worms
Results 1 to 6 of 6

Thread: Tarpits, slowing down the worms

  1. #1

    Tarpits, slowing down the worms

    There are someinteresting articles that I would like to point the AO community to.
    They are about Tarpits. I could give a shot off explaining the concept but I think the articles do a better job then I will do:
    Here are the links:
    A 'Tarpit' That Traps Worms <--wired
    Slow Down Internet Worms With Tarpits <--security focus

    If more people would join in this concept I think the worms could be slowed down big time.
    Please read the articles !
    Both are a bit outdated (one from 2001) but I still think they are a good read.

  2. #2
    Junior Member
    Join Date
    Jun 2003
    Posts
    16
    any one actualy tried this?

    Sounds like a honeypot gone mad

  3. #3
    Member
    Join Date
    Jul 2003
    Posts
    31
    Yeah - I can see a whole heap of problems with this
    Imagine a high bandwidth scanner sending hundreds / thousands of concurrent connections to your firewall..lets say 1000 per second

    Your firewall will hold the TCP connections open until the time_wait flag is triggered (normally after 10 minutes), then it would close them.

    Imagine a firewall that supports 65000 concurrent connections, a few backend servers that are serving pages to about 10000 users concurrently, and it aint gonna be long before for firewall reaches it's maximum number of concurrent connections and all further connections are denied!

    Of course, you could overcome this be setting your time_wait params to a value of about 30 seconds, but that rather defeats the point doesn't it!

    Sounds like this should never be implemented in a production environment.

  4. #4
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    Ok who is trying this tool?

    lets get some subjective data into this conversation..

    LaBrea is not a new toy.. I have seen it mentioned for a few months on the Hackbusters site.. and for access to the download check this link ..
    download it and evaluate it..

    Any admin worth his salt will not test ANY software on a production machine.. duh!! Good or bad on this one who knows.. that is what testing is for.. no one here has tested it to make a valid comment..

    You have theorised now test your theories..

    Come back and bitch about it when you have usedit for more than a week..

    und3rtak3r

    Now I feel like a real twit:

    This bloody artical is 2 years old.. Ok who has tested this ?? Last stable version was released in January this year..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  5. #5
    Kwiep
    Join Date
    Aug 2001
    Posts
    924
    I tested it and am still testing (playing with) it actually

    It does some ARP trick to get all non-used ip adresses on your network and it makes it look like about all ports are open on those virtual computers... then it does some trick, wich is very well explained in the LaBrea readme and docs, and slows down worms from spreading themselves. Of course when it get's a zillion connections it won't keep up, but you can tweak it to you likings.
    Double Dutch

  6. #6
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    that is getting a bit more scientific..


    Could it help reduce the spread inside a local domain.... ie on a corparate network.. to cover situations where a worm jumps the Systems perimiter defences?

    From what Iread that is what ist is intended to do.. not so much as a first line of defence..

    But here is where I am trying to learn more..

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •