By using ltpstat [1] I've been able to see that the LaBrea tarpit [2] isn't quite as effective as I first thought. Yes, it does slow down scans, but not quite as much as one thinks. I'm guessing that scanning software now includes the “timeout” concept—if a connection takes too long, drop the connection and move on.
A few days ago I added a feature to ltpstat to remove entries that have not seen any activity for over an hour (default setting). After running the tarpit for over a day, I see the following stats:
>
```
Jan 27 01:57:08 ltp ltp-report: Start: Wed Jan 25 17:27:55 2006 End: Fri Jan 27 01:57:08 2006 Running time: 1d 8h 29m 13s
Jan 27 01:57:08 ltp ltp-report: Pool-max: 1048576
Jan 27 01:57:08 ltp ltp-report: Pool-num: 107287
Jan 27 01:57:08 ltp ltp-report: Rec-max: 1048576
Jan 27 01:57:08 ltp ltp-report: Rec-num: 107287
Jan 27 01:57:08 ltp ltp-report: UIP-max: 1048576
Jan 27 01:57:08 ltp ltp-report: UIP-num: 2558
Jan 27 01:57:08 ltp ltp-report: Reported-bandwidth: 32 (Kb/sec)
```
Okay, I've “captured” 107,287 connections. But how many of those are still active?
>
```
Jan 27 01:58:32 ltp ltp-report: Removing records with no activity for the past 1h
Jan 27 01:58:32 ltp ltp-report: ... keeping 11180 records with activity since Fri Jan 27 00:58:31 2006
```
Well then. Over 96,000 connections were no longer “active” and of the 2,558 machines doing the scanning, some 2,200 had moved on.
So it looks like the LaBrea tar pit is really only useful to see what's being attacked, and which machines on the Internet are really doing the attacking (so far, 24.73.129.197 seems to be quite tenacious in scanning).
And the ports being scanned? Again, it's the Microsoft specific ports as usual. No use making a chart this time.