From owner-freebsd-questions@FreeBSD.ORG Fri Sep 10 19:21:20 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8A3F16A4CE for ; Fri, 10 Sep 2004 19:21:20 +0000 (GMT) Received: from p15140542.pureserver.info (papendorf-se.de [217.160.222.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2235043D1F for ; Fri, 10 Sep 2004 19:21:19 +0000 (GMT) (envelope-from freebsd@nagilum.org) Received: from localhost (localhost.localdomain [127.0.0.1]) by p15140542.pureserver.info (Postfix) with ESMTP id 585422F4119; Fri, 10 Sep 2004 21:21:15 +0200 (CEST) Received: from p15140542.pureserver.info ([127.0.0.1]) by localhost (p15140542 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15168-01; Fri, 10 Sep 2004 21:21:13 +0200 (CEST) Received: from cakebox.homeunix.net (stgt-d9bb31a1.pool.mediaWays.net [217.187.49.161]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by p15140542.pureserver.info (Postfix) with ESMTP id 6AE912F405B; Fri, 10 Sep 2004 21:21:13 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by cakebox.homeunix.net (Postfix) with ESMTP id C9C623029E4; Fri, 10 Sep 2004 21:20:06 +0200 (CEST) Received: from cakebox.homeunix.net ([127.0.0.1]) by localhost (cakebox.tis [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28130-10; Fri, 10 Sep 2004 21:20:03 +0200 (CEST) Received: from [10.1.1.4] (scorpio.tis [10.1.1.4]) by cakebox.homeunix.net (Postfix) with ESMTP id 075B93029E2; Fri, 10 Sep 2004 21:19:59 +0200 (CEST) Message-ID: <4141FE8C.7080604@nagilum.org> Date: Fri, 10 Sep 2004 21:20:44 +0200 From: Nagilum User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.2) Gecko/20040803 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jonathan Chen References: <20040907134216.GB14884@humpty.finadmin.virginia.edu> <20040908025940.GA12835@grimoire.chen.org.nz> In-Reply-To: <20040908025940.GA12835@grimoire.chen.org.nz> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at cakebox.homeunix.net X-Virus-Scanned: by amavisd-new at papendorf-se.de cc: freebsd-questions@FreeBSD.ORG cc: Mike Galvez Subject: Re: Tar pitting automated attacks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Sep 2004 19:21:20 -0000 Jonathan Chen wrote: >On Tue, Sep 07, 2004 at 09:42:16AM -0400, Mike Galvez wrote: > > >>Is there a method to make this more expensive to the attacker, such as tar-pitting? >> >> > >Put in a ipfw block on the netblock/country. At the very least it will >make it pretty slow for the initial TCP handshake. > >Cheers. > > I don't know how this particular scanner works, but if was (to write) a scanner which is supposed to scan as many as possible hosts as quickly as possible, I would simply start sending out syn's as fast as I can or my master told me, without tracking to which hosts I sent one (just do a count upwards or something like that). Then I would simply collect those hosts that do respond with an ACK and put only them in the queue for further processing. Whether your host sends a nak or nothing is the same to me. So I don't think a block will cause any significant harm to these attacks.