Date: Wed, 8 Sep 2004 08:55:37 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Mike Galvez" <hoosyerdaddy@virginia.edu> Cc: freebsd-questions@freebsd.org Subject: RE: Tar pitting automated attacks Message-ID: <LOBBIFDAGNMAMLGJJCKNGEEGEPAA.tedm@toybox.placo.com> In-Reply-To: <20040908145459.GA19090@humpty.finadmin.virginia.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Mike Galvez > Sent: Wednesday, September 08, 2004 7:55 AM > To: Ted Mittelstaedt > > > > If you successfully erect a network block, the cracker's software > > will just go to the next IP in the sequence to attack. Your actually > > doing more damage to the cracker's distributed network by your SSH > > server patiently saying no, no, no, no, no, no, etc. for 20-50 thousand > > times, because that ties the cracked PC up for a lot longer just working > > away at your system. > > This is why I was curious about tar-pitting. The attacker is banging away > at common user accounts every 3 to 5 seconds sometimes more than > a thousand > times. A tar pit or something like it could slow the attack to maybe four > attempts in an hour as opposed to a thousand. > No it won't because the attackers know they are unloved, and they use scanning software that will abandon the attempt after a settable timeout. Try running Nessus sometime against a tarpitted IP. Tarpits were fine against extremely unsophisticated software but the war has moved on. Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNGEEGEPAA.tedm>