Tarpits for Microsoft Worms

Digital_Quartz writes: "Wired News is reporting on a clever little tool by Tom Liston called LaBrea which uses unused IP addresses on a network to create virtual computers for worms and hackers to attack. LaBrea responds to requests in such a way as to keep the connection open forever, creating a "tarpit" in which worms like Code Red will get "stuck"."

LaBrea is not the solution

[davidu]

Tools like LaBrea are cool, but aren't more then hacks. By wasting the TCP timeout on these worms it just forces the next worm writer to create a multi-threaded worm which would instantly be immune to such a defense.

A better defense, which I admit is more costly in terms of CPU is to run border IDS systems and simply have rulesets to filter this kind of traffic out.

For Example: Here is a snort ruleset for Nimba and Codered and possibly other worm varients against Windows OS's:
alert tcp any any -> any 80 (content: "cmd.exe";msg: "cmd.exe access in HTTP!!";react: block;)
alert tcp any any -> any 80 (content: "root.exe";msg: "root.exe access in HTTP!!";react: block;)

If you're running BigIP switches:
rule block_nimda {
if (http_uri starts_with "/scripts" or http_uri contains "root.exe") {
discard
} else {
use ( server_pool)
}
}

The point is...
It's better to stop these things on border routers and on the edges of Lan's then on individual machines or IPs. LaBrea does nothing to protect other machines aside from slowing down the worm which is almost futile.

Just my $.02,
dave