Friday, January 06, 2006
More tarpit stuff
The problem ended up being the cable; nothing a little recrimping couldn't fix.
I did however, run LaBrea on the working port last night, and have a full twelve hours of data, from 00:00:00 (Eastern) to 11:59:59, and the results are rather amusing. 55,331 port connections on hold, from 1,743 unique IP addresses. And the only surprising thing is the low number of scans for SMTP.
|Port #||Port description||# connections|
|139||NetBIOS Session Service||5,934|
|80||Hypertext Transport Protocol||1,692|
|22||Secure Shell Login||1,190|
|6129||Dameware remote administration software||486|
|2100||Oracle XDB FTP Services||377|
|1433||Microsoft SQL Server||258|
|5000||Microsoft Universal Plug-n-Play||13|
|25||Simple Mail Transport Protocol||7|
And it seems, from these results, that simply blocking the ports used by
Microsoft Windows will stop 87% of these scans (and for our particular run,
if I just blocked
18.104.22.168 I would have stopped 35% of all
the scans—that was a particularly persistent computer).
Update on Saturday, January 7th, 2006
I may not have been properly tarpitting the connections.