From owner-freebsd-questions@FreeBSD.ORG Wed Sep 8 15:55:50 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2EA5316A4CE for ; Wed, 8 Sep 2004 15:55:50 +0000 (GMT) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD7D743D1D for ; Wed, 8 Sep 2004 15:55:49 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from tedwin2k (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) i88FuEW72106; Wed, 8 Sep 2004 08:56:14 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Mike Galvez" Date: Wed, 8 Sep 2004 08:55:37 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <20040908145459.GA19090@humpty.finadmin.virginia.edu> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 cc: freebsd-questions@freebsd.org Subject: RE: Tar pitting automated attacks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2004 15:55:50 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Mike Galvez > Sent: Wednesday, September 08, 2004 7:55 AM > To: Ted Mittelstaedt > > > > If you successfully erect a network block, the cracker's software > > will just go to the next IP in the sequence to attack. Your actually > > doing more damage to the cracker's distributed network by your SSH > > server patiently saying no, no, no, no, no, no, etc. for 20-50 thousand > > times, because that ties the cracked PC up for a lot longer just working > > away at your system. > > This is why I was curious about tar-pitting. The attacker is banging away > at common user accounts every 3 to 5 seconds sometimes more than > a thousand > times. A tar pit or something like it could slow the attack to maybe four > attempts in an hour as opposed to a thousand. > No it won't because the attackers know they are unloved, and they use scanning software that will abandon the attempt after a settable timeout. Try running Nessus sometime against a tarpitted IP. Tarpits were fine against extremely unsophisticated software but the war has moved on. Ted