RE: LaBrea tarpit info and URL

From: Patrick Greenwell []
Sent: Sunday, August 19, 2001 6:01 PM

> From: "Tom Liston" <> (by way of Matt Fearnow
> <>)
> Subject: [unisog] New tool: LaBrea
> To:
> OK folks, the time has come to fight back...
> Following up on my original work on CodeRedneck, I'm
pleased to announce a
> new tool to let us *ethically* take a stand. Come on...
let's build us
> some tarpits.

Yawn. So someone adds a timeout to their
scanner/worm/whatever. "Problem"

Didn't we try something like this wrt email address scanners? Only in that
case, we actually tried to poison them. I don't believe that worked very
well either. In addition, it melts down the saint runs you do to manage your
own networks. For various sizes of LANs, this is a problem.

However, a tcp_wrappers boobie-trap mightn't be such a bad idea. It detects
a scan from outside the net-block and tries it's level best to return the
favor with a saint run, reporting whatever it finds. Of course, one needs a
solution for the deadly-embrace problem. Once CodeRed infestation is
confirmed, one has a variety of options.

1) Send demand letter to infested host's owner, to cease and desist.
2) Raise automated blocks, for that host, at your border (adaptive
3) Use the CodeRed backdoor to force that host to shutdown, or worse.

However, LaBrea seems useless.