|> From: Patrick Greenwell [mailto:patrick@cybernothing.org] |> Sent: Sunday, August 19, 2001 6:01 PM |> |> On Sun, 19 Aug 2001, M. David Leonard wrote: |> |> > -------- Original Message -------- |> > From: "Tom Liston" <tliston@premmag.com> (by way of Matt Fearnow |> > <matt@incidents.org>) |> > Subject: [unisog] New tool: LaBrea |> > To: unisog@sans.org |> > |> > OK folks, the time has come to fight back... |> > |> > Following up on my original work on CodeRedneck, I'm |> pleased to announce a |> > new tool to let us *ethically* take a stand. Come on... |> let's build us |> > some tarpits. |> |> Yawn. So someone adds a timeout to their |> scanner/worm/whatever. "Problem" |> solved. Didn't we try something like this wrt email address scanners? Only in that case, we actually tried to poison them. I don't believe that worked very well either. In addition, it melts down the saint runs you do to manage your own networks. For various sizes of LANs, this is a problem. However, a tcp_wrappers boobie-trap mightn't be such a bad idea. It detects a scan from outside the net-block and tries it's level best to return the favor with a saint run, reporting whatever it finds. Of course, one needs a solution for the deadly-embrace problem. Once CodeRed infestation is confirmed, one has a variety of options. 1) Send demand letter to infested host's owner, to cease and desist. 2) Raise automated blocks, for that host, at your border (adaptive shielding). 3) Use the CodeRed backdoor to force that host to shutdown, or worse. However, LaBrea seems useless.