hngopher.com

       [HN Gopher] Scanners Beware: Welcome to the network from hell
       ___________________________________________________________________
        
       Scanners Beware: Welcome to the network from hell
        
       Author : vailunka
       Score  : 56 points
       Date   : 2024-12-16 11:15 UTC (1 days ago)
        
 (HTM) web link (medium.com)
 (TXT) w3m dump (medium.com)
        
       | CliveBloomers wrote:
       | What is this doing?
        
         | oherrala wrote:
         | TL;DR A tarpit that detects network wide scans (e.g. nmap) and
         | starts to slow down the scanning as much as possible by
         | intercepting the scanning.
        
           | CliveBloomers wrote:
           | Thanks, The article did not make this clear.
        
       | ssklash wrote:
       | Notably this only works on internal networks that rely on ARP at
       | layer 2.
        
         | Faaak wrote:
         | Yeah, I get they mixed up how arp works.. For requests on the
         | same L2, and just TCP replies. When you connect to another
         | network you'll never send/receive arps..
        
           | raddan wrote:
           | In what way did they "mix up how arp works"? They say
           | 
           | > That's where our solution comes in -- a solution designed
           | specifically for internal networks, one that doesn't just
           | defend but creates chaos for attackers.
        
             | bc569a80a344f9c wrote:
             | Agreed. They're quite clear about what this is and how it
             | works.
             | 
             | It's just usually tremendously impractical to extend the
             | tar pit to all your layer 2 domains in many modern network
             | architectures, so while this is interesting, it's unlikely
             | to see production use.
        
       | krunck wrote:
       | I have fond memories of running Labrea during the Code Red worm
       | days(2001).
        
       | halz wrote:
       | Somewhat reminds me of a project out of IBM some years back:
       | "Billy Goat"
       | https://dominoweb.draco.res.ibm.com/reports/rz3609_revised.p...
       | (bummer looks the site certificate expired a few days ago.. sign
       | of the times for IBM, eh).
        
       | waterproof wrote:
       | > Most scanners send three requests per IP address. Our solution
       | observes the first two requests to check if a device exists at
       | that IP
       | 
       | So all an attacker has to do to avoid the tarpit is reduce their
       | retries to 2? And they can detect all your fake devices by seeing
       | who responds on the 3rd try?
       | 
       | I get that this is just one step in the cat-and-mouse game, but
       | the brittleness of this approach makes the grandiose closing
       | statements a little grating:
       | 
       | > Lightweight yet powerful, it empowers you to take control of
       | your network security with minimal effort.
        
       ___________________________________________________________________
       (page generated 2024-12-17 23:00 UTC)