David, thanks for this information. Finally a bit of useful commentary regarding CodeRed and perhaps a partial rebuttal to it.

-Joe

-----Original Message-----
From: M. David Leonard [mailto:mdl@equinox.shaysnet.com]
Sent: Sunday, August 19, 2001 5:38 PM
To: nanog@nanog.org
Subject: LaBrea tarpit info and URL




        I have received a few requests for more information on LaBrea, so
I am forwarding the e-mail describing it to the nanog list.  I apologize
if this is off-topic.


                                        David Leonard
                                        ShaysNet


-------- Original Message --------
From: "Tom Liston" <tliston@premmag.com> (by way of Matt Fearnow
<matt@incidents.org>)
Subject: [unisog] New tool: LaBrea
To: unisog@sans.org

OK folks, the time has come to fight back...

Following up on my original work on CodeRedneck, I'm pleased to announce a
new tool to let us *ethically* take a stand.  Come on... let's build us
some tarpits.

Announcing: LaBrea

LaBrea is a Linux boot disk, based on the Trinux/Linux distribution
(http://www.trinux.org), combined with the techniques used by CodeRedneck
to set up a "tarpit" on your netblock.  Essentially, what LaBrea does is
to create "virtual machines" on your unused IP addresses, firewall them,
and then latch onto any inbound traffic by using TCP/IP's tenacity against
anyone who tries to connect.

You have a bunch of unused IPs?  Here's what you do:

Get yourself an old machine and a generic NIC.  The machine doesn't need
to be a barn burner (see below).  Heck, it doesn't even need a hard drive!
LaBrea is run from a RAM disk.

Hook your old doorstop machine up to the network, somewhere where the
portscanners will be sure to find it...

Download the LaBrea boot disk image from
http://www.threenorth.com/LaBrea
(Many, *many* thanks to Tim Rushing for hosting this for me!)

Create a real, live boot disk from the image. See instructions at:
http://trinux.sourceforge.net/install.html
(Don't worry... it's easy.  You can do it from Windows or Linux...)

You'll need to pick a main IP address for the LaBrea machine. This IP
address will temporarily need HTTP access to download the packages needed
by Trinux to boot. You'll also need to know the netmask of the IPs you
want to use, as well as your gateway address and the address of a DNS
server.

Now, using any text editor, create a list of the IPs (one per line) that
you want to teergrube and save it on the boot floppy under /tux/config as
a file named "LaBrea". (Note: DON'T include the "main" IP address in this
list... it will be taken care of automatically.)

Pop the LaBrea disk into your machine, and boot 'er up.

It *should* recognize your NIC and fire off.  If it doesn't... well, look
around at the Trinux site for help.  (I've fired it up on three machines
here with three different NICs and it recognized every one of them...)

It'll ask you some questions.  First of all, DON'T DO DHCP ADDRESS
RESOLUTION. It won't work, I disabled it, but I didn't feel like digging
through the innards of the Trinux boot disk to remove the question.  So
just don't do it... OK? Since it can't use DHCP, here's where you'll need
to know the IP address, netmask, gateway, etc... (Remember?  I told you
that you'd need to know that...)

Answer the questions, and the boot disk will set up the network connection
and then it'll go out and grab any additional files that it needs to set
up and run.  The machine will then alias itself to all of the IPs that you
listed. It will use iptables to DROP all inbound TCP connections, and then
it will launch LaBrea to teergrube ALL connection attempts to those IP
addresses.

*ALL* TCP CONNECTION ATTEMPTS.  ON **EVERY** PORT.  :-) :-) :-)

To make the process more automatic the next time you boot, drop into BASH
and run the command "savecfg".  That'll save your IP address, netmask,
etc... back out to the floppy so it won't have to ask you about it if you
reboot.

How well does it work?  Well, currently I have a 50 IP "tarpit" running on
an old Pentium 233 that was sitting around without a HDD.  From the
logfiles, I pulled the following information after booting it up and
running it for about 45 minutes.  I picked a pretty generic 10 minute
"chunk" of time and followed all of the initial connections that came in:

During my 10 minute sample, I had 54 inbound connections.  Now remember,
these are previously *UNUSED* IP addresses.  There is no reason for
anything to come after them.  All inbound connections were to port 80.
(Gee, I wonder what that's from ;-)

I held onto those 54 connections for an average of 1 minute 41 seconds
each. Therefore, in that 10 minute period, I wasted 1 hour 30 minutes and
32 seconds of CodeRed scanning time.  But folks, CodeRed is running on NT,
and NT has a *short* TCP time out.  What this does to CodeRed connections
ain't nothin' compared to what it'll do to a Linux based RPCPortmapper
scanner:  TWENTY FOUR MINUTES a connection!

Did I mention that LaBrea is set up to minimize impact on your network?
Using TCP window advertisement, LaBrea chokes down the inbound packets to
10 data bytes each.  Let's see... I held onto that RPC scanner for 24
minutes, and all he got to send me was 170 bytes of data...

This is fun.... Man, this is fun.  I can't think of a time I've enjoyed my
job more...

Some background:
My original proposal can be found here:
http://www.incidents.org/archives/intrusions/msg01215.html

Mihnea Stoenescu's validation of the idea is described here:
http://www.incidents.org/archives/intrusions/msg01239.html

The announcement of CodeRedneck:
http://www.incidents.org/archives/intrusions/msg01262.html

Many thanks to Mihnea Stoenescu, Donald Smith, and Tim Rushing for all
of their
help on this.

-TL