Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 9 Sep 2004 08:00:31 -0700
From:      "Ted Mittelstaedt" <tedm@toybox.placo.com>
To:        <m.hauber@mchsi.com>, <freebsd-questions@freebsd.org>
Subject:   RE: Tar pitting automated attacks
Message-ID:  <LOBBIFDAGNMAMLGJJCKNGEEHEPAA.tedm@toybox.placo.com>
In-Reply-To: <200409081235.20615.m.hauber@mchsi.com>

next in thread | previous in thread | raw e-mail | index | archive | help


> -----Original Message-----
> From: owner-freebsd-questions@freebsd.org
> [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Mike Hauber
> Sent: Wednesday, September 08, 2004 9:35 AM
> To: freebsd-questions@freebsd.org
> Subject: Re: Tar pitting automated attacks
> 
> 
> I realize this is probably a dumb question (I quietly drop 
> everything incoming unless it's keep-state, and I only 
> allow ssh internally)...
> 
> If you're needing to ssh to your machine from a limited 
> range of IPs, then why not tell your PF to drop incoming 
> unless it's within that range?

Yes, that is how it is usually done.  But the OP's goal was
to tie up the attacker's resources so the attacker cannot go
and bang on other people.

Blocking access to the ssh port to most of the Internet actually
helps the attacker, because the attacker will attempt to open
a connection, and 5 minutes later when the connection open has
still not completed, the attacker will mark off that IP and continue
onto attacking the next person.

So it comes down to what do you want - if you want to clean your
logs and not be attacked, then use port filtering, otherwise
if you want to waste attackers resources, make sure your ssh port
is available, and use good passwords so an attack won't succeed.

tarpitting is equivalent to port filtering from the attackers
point of view - they know how to detect a tar pit and will move
on and not get stuck in it.

Ted



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNGEEHEPAA.tedm>