Results 1 to 4 of 4

Thread: Tarpit Scanning

  1. #1
    Junior Member
    Join Date
    Oct 2002
    Posts
    20

    Tarpit Scanning

    Does anyone have experience scanning hosts running iptables firewalls running tarpits.

    I have come up against a few recently with nmap and i'm wondering whats the best away around them.

    Anyone know of any specific options I can specifiy through nmap to help avoid these ports

    I thought about just specifying know ports for my scans but that means I would miss any other servers running on non standard ports

    Any help would be great

    Memnoch

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I have come up against a few recently with nmap and i'm wondering whats the best away around them.
    Interesting... A "few".... I dunno, but I wasn't under the impression that the net is littered with these things. That being the case I would suspect foul play in the form of a honeynet.

    What evidence do you have to support your theory that you are being tarpitted?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Junior Member
    Join Date
    Oct 2002
    Posts
    20
    Hehehe sorry I will be more specific, by a few I don't mean I have been randomly scanning subnets attempting to find some tarpits.

    Basically a friend of mine works for an it company and they have deployed tarpits to some of their clients who are using linux firewalls (instead of cisco pix's or the like).

    After talking with the customers we decided it would be good to test these systems and find any problems now before their deployed.

    After scanning them I have read up on the technology and setup a system on my local network with a tarpit to test with.

    Honeypots wouldn't throw off the same results, they are just there pretending to be other machines and services to trap hackers, where as tarpits are ports which will allow a few packets through the firewall to act like a service is running on that port then drop the window size on the pack to zero effectively forcing that connection open.

    Memnoch

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I'm well aware of what a tarpit is...

    I take it then that you have witnessed the "closing of the window"?

    A sophisticated honeynet could quite easily contain tarpits though since you know what it is you are looking at then clearly it isn't one.

    What NMAP switches have you used to date?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •