I have received a few requests for more information on LaBrea, so I am forwarding the e-mail describing it to the nanog list. I apologize if this is off-topic. David Leonard ShaysNet -------- Original Message -------- From: "Tom Liston" <tliston@premmag.com> (by way of Matt Fearnow <matt@incidents.org>) Subject: [unisog] New tool: LaBrea To: unisog@sans.org OK folks, the time has come to fight back... Following up on my original work on CodeRedneck, I'm pleased to announce a new tool to let us *ethically* take a stand. Come on... let's build us some tarpits. Announcing: LaBrea LaBrea is a Linux boot disk, based on the Trinux/Linux distribution (http://www.trinux.org), combined with the techniques used by CodeRedneck to set up a "tarpit" on your netblock. Essentially, what LaBrea does is to create "virtual machines" on your unused IP addresses, firewall them, and then latch onto any inbound traffic by using TCP/IP's tenacity against anyone who tries to connect. You have a bunch of unused IPs? Here's what you do: Get yourself an old machine and a generic NIC. The machine doesn't need to be a barn burner (see below). Heck, it doesn't even need a hard drive! LaBrea is run from a RAM disk. Hook your old doorstop machine up to the network, somewhere where the portscanners will be sure to find it... Download the LaBrea boot disk image from http://www.threenorth.com/LaBrea (Many, *many* thanks to Tim Rushing for hosting this for me!) Create a real, live boot disk from the image. See instructions at: http://trinux.sourceforge.net/install.html (Don't worry... it's easy. You can do it from Windows or Linux...) You'll need to pick a main IP address for the LaBrea machine. This IP address will temporarily need HTTP access to download the packages needed by Trinux to boot. You'll also need to know the netmask of the IPs you want to use, as well as your gateway address and the address of a DNS server. Now, using any text editor, create a list of the IPs (one per line) that you want to teergrube and save it on the boot floppy under /tux/config as a file named "LaBrea". (Note: DON'T include the "main" IP address in this list... it will be taken care of automatically.) Pop the LaBrea disk into your machine, and boot 'er up. It *should* recognize your NIC and fire off. If it doesn't... well, look around at the Trinux site for help. (I've fired it up on three machines here with three different NICs and it recognized every one of them...) It'll ask you some questions. First of all, DON'T DO DHCP ADDRESS RESOLUTION. It won't work, I disabled it, but I didn't feel like digging through the innards of the Trinux boot disk to remove the question. So just don't do it... OK? Since it can't use DHCP, here's where you'll need to know the IP address, netmask, gateway, etc... (Remember? I told you that you'd need to know that...) Answer the questions, and the boot disk will set up the network connection and then it'll go out and grab any additional files that it needs to set up and run. The machine will then alias itself to all of the IPs that you listed. It will use iptables to DROP all inbound TCP connections, and then it will launch LaBrea to teergrube ALL connection attempts to those IP addresses. *ALL* TCP CONNECTION ATTEMPTS. ON **EVERY** PORT. :-) :-) :-) To make the process more automatic the next time you boot, drop into BASH and run the command "savecfg". That'll save your IP address, netmask, etc... back out to the floppy so it won't have to ask you about it if you reboot. How well does it work? Well, currently I have a 50 IP "tarpit" running on an old Pentium 233 that was sitting around without a HDD. From the logfiles, I pulled the following information after booting it up and running it for about 45 minutes. I picked a pretty generic 10 minute "chunk" of time and followed all of the initial connections that came in: During my 10 minute sample, I had 54 inbound connections. Now remember, these are previously *UNUSED* IP addresses. There is no reason for anything to come after them. All inbound connections were to port 80. (Gee, I wonder what that's from ;-) I held onto those 54 connections for an average of 1 minute 41 seconds each. Therefore, in that 10 minute period, I wasted 1 hour 30 minutes and 32 seconds of CodeRed scanning time. But folks, CodeRed is running on NT, and NT has a *short* TCP time out. What this does to CodeRed connections ain't nothin' compared to what it'll do to a Linux based RPCPortmapper scanner: TWENTY FOUR MINUTES a connection! Did I mention that LaBrea is set up to minimize impact on your network? Using TCP window advertisement, LaBrea chokes down the inbound packets to 10 data bytes each. Let's see... I held onto that RPC scanner for 24 minutes, and all he got to send me was 170 bytes of data... This is fun.... Man, this is fun. I can't think of a time I've enjoyed my job more... Some background: My original proposal can be found here: http://www.incidents.org/archives/intrusions/msg01215.html Mihnea Stoenescu's validation of the idea is described here: http://www.incidents.org/archives/intrusions/msg01239.html The announcement of CodeRedneck: http://www.incidents.org/archives/intrusions/msg01262.html Many thanks to Mihnea Stoenescu, Donald Smith, and Tim Rushing for all of their help on this. -TL