The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Wednesday, March 22, 2006

Once more into the tarpit

It's been a while since I last reported on the Labrea Tarpit we're running. In the almost two months since I've mentioned it, it's just been sitting on a shelf, tarpitting away. As I reported back then, it seems that it's more effective at telling us what's attacking us (IP address) and where (port number) than actually slowing down the attacks.

Yesterday, Dan the Network Engineer asked if he could get regular reports of what IP addresses are hitting us hard. So I modified ltpstat to generate the requested information (I'm not bothering to mask the offending IP addresses):

Attacking IP addresses
IP AddressNumber of “connections”
81.248.42.1337207
160.79.143.98846
59.21.72.1691
216.48.7.19552
82.76.161.38487
217.132.178.97484
193.15.92.167421
66.131.62.208370
64.182.81.74329
216.82.220.172323

I also had it generate a list of ports being attacked. Again, nothing surprising here:

Top 6 ports captured by Labrea since the last purge
Port #Port description# connections
Port #Port description# connections
4899Remote Administration8,892
139NetBIOS Session Service5,081
1433Microsoft SQL Server1,644
135Microsoft-RPC service1,071
445Microsoft-DS Service914
80Hypertext Transfer Protocol850

(Just a note—I was able to generate this data from the existing reports that ltpstat generated, but pulling just this information out of said reports required at least three processes per report. It was just as easy to have just the information required for this to be generated by ltpstat itself)

Dan the Network Engineer is planning on taking these reports and automatically blocking the offending IP addresses from scanning our network. Should be a pretty sweet setup once it gets going.


Two Pictures from The Data Center at The Company

[Look!  Blinken lights!]

Two more photos, this time from the Data Center.

[Yeah, the color balance is off.  It's a camera phone!]

Can you tell I really like this panoramic feature of the phone camera?

I also decided to add this vertical panoramic shot I took to the sidebar there to the right. Just because.

Obligatory Picture

[It's the most wonderful time of the year!]

Obligatory Contact Info

Obligatory Feeds

Obligatory Links

Obligatory Miscellaneous

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site: http://boston.conman.org/, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

http://boston.conman.org/2000/08/01

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2021 by Sean Conner. All Rights Reserved.