[40720] in North American Network Operators' Group
Right way to gum up CodeRed (I think)
daemon@ATHENA.MIT.EDU (M. David Leonard)
Sun Aug 19 13:04:21 2001
Date: Sun, 19 Aug 2001 13:05:59 -0400 (EDT)
From: "M. David Leonard" <mdl@equinox.shaysnet.com>
To: nanog@nanog.org
Message-ID: <Pine.3.89.10108191227.A9350-0100000@equinox.shaysnet.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
Guys-
There is a neat 'tarpit' package called LaBrea. It runs off a
single boot floppy (Trinux, I believe), supports vifs, and is verrrry
sticky on incoming TCP/IP connections. Install it on an old clunker
machine you've got lying around collecting dust. Give it some unassigned
(and unadvertised) IP addresses in your block and let it cling for up to
24 minutes on each connection attempt. Slows CodeRed right down, with a
minimum of bandwidth wasted. IMHO it sounds much better than 50MB
'default.ida' files. Plus, it does the same to script kiddies trying to
run a port scan.
David Leonard
ShaysNet
