It's been a while since I last reported [1] on the Labrea Tarpit [2] we're running. In the almost two months since I've mentioned it, it's just been sitting on a shelf, tarpitting away. As I reported back then, it seems that it's more effective at telling us what's attacking us (IP (Internet Protocol) address) and where (port number) than actually slowing down the attacks.
Yesterday, Dan the Network Engineer asked if he could get regular reports of what IP addresses are hitting us hard. So I modified ltpstat [3] to generate the requested information (I'm not bothering to mask the offending IP addresses):
Table: Attacking IP addresses IP Address Number of “connections” ------------------------------ 81.248.42.133 7207 160.79.143.98 846 59.21.72.1 691 216.48.7.19 552 82.76.161.38 487 217.132.178.97 484 193.15.92.167 421 66.131.62.208 370 64.182.81.74 329 216.82.220.172 323
I also had it generate a list of ports being attacked. Again, nothing surprising here:
Table: Top 6 ports captured by Labrea since the last purge Port # Port description # connections ------------------------------ 4899 Remote Administration [4] 8,892 139 NetBIOS (Basic Input/Output System) Session Service 5,081 1433 Microsoft SQL (Standard Query Language) Server 1,644 135 Microsoft-RPC (Remote Procedure Call) service 1,071 445 Microsoft-DS (Directory Service?) Service 914 80 Hypertext Transfer Protocol 850 ------------------------------ Port # Port description # connections
(Just a note—I was able to generate this data from the existing reports that ltpstat generated, but pulling just this information out of said reports required at least three processes per report. It was just as easy to have just the information required for this to be generated by ltpstat itself)
Dan the Network Engineer is planning on taking these reports and automatically blocking the offending IP addresses from scanning our network. Should be a pretty sweet setup once it gets going.