The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Friday, January 06, 2006

More tarpit stuff

The problem ended up being the cable; nothing a little recrimping couldn't fix.

I did however, run LaBrea on the working port last night, and have a full twelve hours of data, from 00:00:00 (Eastern) to 11:59:59, and the results are rather amusing. 55,331 port connections on hold, from 1,743 unique IP addresses. And the only surprising thing is the low number of scans for SMTP.

Ports captured during a Labrea run of twelve hours
Port # Port description # connections
135 Microsoft-RPC service 30,218
445 Microsoft-DS Service 11,813
139 NetBIOS Session Service 5,934
4899 Remote Administration 2,412
80 Hypertext Transport Protocol 1,692
22 Secure Shell Login 1,190
6129 Dameware remote administration software 486
1080 W32.Mydoom.F@mm worm 404
2100 Oracle XDB FTP Services 377
4444 W32.Blaster.Worm 372
1433 Microsoft SQL Server 258
15118 Dipnet/Oddbob Worm 140
5000 Microsoft Universal Plug-n-Play 13
2745 Bagle/Beagle/Tanx viruses 10
25 Simple Mail Transport Protocol 7
47707 unknown 5

And it seems, from these results, that simply blocking the ports used by Microsoft Windows will stop 87% of these scans (and for our particular run, if I just blocked 216.82.207.49 I would have stopped 35% of all the scans—that was a particularly persistent computer).

Update on Saturday, January 7th, 2006

I may not have been properly tarpitting the connections.

Obligatory Picture

An abstract representation of where you're coming from]

Obligatory Contact Info

Obligatory Feeds

Obligatory Links

Obligatory Miscellaneous

Obligatory AI Disclaimer

No AI was used in the making of this site, unless otherwise noted.

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site: https://boston.conman.org/, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

https://boston.conman.org/2000/08/01

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2024 by Sean Conner. All Rights Reserved.