Thursday, January 26, 2006
Oh, it's still useful, just not as useful as I expected
By using ltpstat
I've been able to see that the LaBrea tarpit isn't quite
as effective as I first thought. Yes, it does slow down scans, but not
quite as much as one thinks. I'm guessing that scanning software now
includes the “timeout” concept—if a connection takes too long, drop the
connection and move on.
A few days ago I added a feature to ltpstat
to remove
entries that have not seen any activity for over an hour (default setting).
After running the tarpit for over a day, I see the following stats:
Jan 27 01:57:08 ltp ltp-report: Start: Wed Jan 25 17:27:55 2006 End: Fri Jan 27 01:57:08 2006 Running time: 1d 8h 29m 13s Jan 27 01:57:08 ltp ltp-report: Pool-max: 1048576 Jan 27 01:57:08 ltp ltp-report: Pool-num: 107287 Jan 27 01:57:08 ltp ltp-report: Rec-max: 1048576 Jan 27 01:57:08 ltp ltp-report: Rec-num: 107287 Jan 27 01:57:08 ltp ltp-report: UIP-max: 1048576 Jan 27 01:57:08 ltp ltp-report: UIP-num: 2558 Jan 27 01:57:08 ltp ltp-report: Reported-bandwidth: 32 (Kb/sec)
Okay, I've “captured” 107,287 connections. But how many of those are still active?
Jan 27 01:58:32 ltp ltp-report: Removing records with no activity for the past 1h Jan 27 01:58:32 ltp ltp-report: ... keeping 11180 records with activity since Fri Jan 27 00:58:31 2006
Well then. Over 96,000 connections were no longer “active” and of the 2,558 machines doing the scanning, some 2,200 had moved on.
So it looks like the LaBrea tar pit is really only useful to see what's
being attacked, and which machines on the Internet are really doing the
attacking (so far, 24.73.129.197
seems to be quite tenacious in
scanning).
And the ports being scanned? Again, it's the Microsoft specific ports as usual. No use making a chart this time.