-
August 29th, 2003, 09:29 PM
#1
Banned
Tarpits, slowing down the worms
There are someinteresting articles that I would like to point the AO community to.
They are about Tarpits. I could give a shot off explaining the concept but I think the articles do a better job then I will do:
Here are the links:
A 'Tarpit' That Traps Worms <--wired
Slow Down Internet Worms With Tarpits <--security focus
If more people would join in this concept I think the worms could be slowed down big time.
Please read the articles !
Both are a bit outdated (one from 2001) but I still think they are a good read.
-
August 30th, 2003, 10:13 AM
#2
Junior Member
any one actualy tried this?
Sounds like a honeypot gone mad
-
August 31st, 2003, 08:16 AM
#3
Member
Yeah - I can see a whole heap of problems with this
Imagine a high bandwidth scanner sending hundreds / thousands of concurrent connections to your firewall..lets say 1000 per second
Your firewall will hold the TCP connections open until the time_wait flag is triggered (normally after 10 minutes), then it would close them.
Imagine a firewall that supports 65000 concurrent connections, a few backend servers that are serving pages to about 10000 users concurrently, and it aint gonna be long before for firewall reaches it's maximum number of concurrent connections and all further connections are denied!
Of course, you could overcome this be setting your time_wait params to a value of about 30 seconds, but that rather defeats the point doesn't it!
Sounds like this should never be implemented in a production environment.
-
August 31st, 2003, 11:39 AM
#4
Ok who is trying this tool?
lets get some subjective data into this conversation..
LaBrea is not a new toy.. I have seen it mentioned for a few months on the Hackbusters site.. and for access to the download check this link ..
download it and evaluate it..
Any admin worth his salt will not test ANY software on a production machine.. duh!! Good or bad on this one who knows.. that is what testing is for.. no one here has tested it to make a valid comment..
You have theorised now test your theories..
Come back and bitch about it when you have usedit for more than a week..
und3rtak3r
Now I feel like a real twit:
This bloody artical is 2 years old.. Ok who has tested this ?? Last stable version was released in January this year..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
August 31st, 2003, 12:33 PM
#5
I tested it and am still testing (playing with) it actually
It does some ARP trick to get all non-used ip adresses on your network and it makes it look like about all ports are open on those virtual computers... then it does some trick, wich is very well explained in the LaBrea readme and docs, and slows down worms from spreading themselves. Of course when it get's a zillion connections it won't keep up, but you can tweak it to you likings.
-
August 31st, 2003, 01:39 PM
#6
that is getting a bit more scientific..
Could it help reduce the spread inside a local domain.... ie on a corparate network.. to cover situations where a worm jumps the Systems perimiter defences?
From what Iread that is what ist is intended to do.. not so much as a first line of defence..
But here is where I am trying to learn more..
Cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|