Thursday, January 05, 2006
Slogging through the 'pit
Today was the first day I ran the Labrea tarpit on the network. I almost didn't leave the office since the results were most interesting. The first hour it ran (from 19:04:31 Eastern to 20:04:31) it “pitted” 9,309 connections from 865 unique IPs. And the ports involved:
Port # | Port description | # connections |
---|---|---|
135 | Microsoft-RPC service | 4,996 |
445 | Microsoft-DS Service | 3,724 |
139 | NetBIOS Session Service | 295 |
22 | Secure Shell Login | 231 |
80 | Hypertext Transport Protocol | 62 |
6348 | unassigned (possible worm?) | 1 |
That Microsoft specific ports are at the top of the list are totally unexpected here.
I did learn a few things about LaBrea though. One, it only works on a single netblock. Unfortunately for us at The Company, we have several network blocks to worry about and that means either a few machines running this, or several instances (and given that LaBrea puts the network interface in promiscuous mode, I'm not sure how multiple instances would react with each other on the same interface) on different interfaces on one box.
Two, the network block does not have to match the network block the actual system is in, which saves an unsused IP address (ha ha).
A puzzling thing though. I got home, it was still running. I checked back a few hours later, and nothing past 20:21:17. LaBrea was still running, but either we captured all that could be captured, or something else was up.
Or down, as it turned out.
The interface that LaBrea was running on just died. I don't know if the switch doesn't like it (unlikely), the network cable is bad (could be—I did make the cable) or the interface just blew up (also a possibility). Even a reboot of the system didn't fix the problem. I'm hoping it's just the cable.