Date: Fri, 10 Sep 2004 21:20:44 +0200 From: Nagilum <freebsd@nagilum.org> To: Jonathan Chen <jonc@chen.org.nz> Cc: Mike Galvez <hoosyerdaddy@virginia.edu> Subject: Re: Tar pitting automated attacks Message-ID: <4141FE8C.7080604@nagilum.org> In-Reply-To: <20040908025940.GA12835@grimoire.chen.org.nz> References: <20040907134216.GB14884@humpty.finadmin.virginia.edu> <20040908025940.GA12835@grimoire.chen.org.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
Jonathan Chen wrote: >On Tue, Sep 07, 2004 at 09:42:16AM -0400, Mike Galvez wrote: > > >>Is there a method to make this more expensive to the attacker, such as tar-pitting? >> >> > >Put in a ipfw block on the netblock/country. At the very least it will >make it pretty slow for the initial TCP handshake. > >Cheers. > > I don't know how this particular scanner works, but if was (to write) a scanner which is supposed to scan as many as possible hosts as quickly as possible, I would simply start sending out syn's as fast as I can or my master told me, without tracking to which hosts I sent one (just do a count upwards or something like that). Then I would simply collect those hosts that do respond with an ACK and put only them in the queue for further processing. Whether your host sends a nak or nothing is the same to me. So I don't think a block will cause any significant harm to these attacks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4141FE8C.7080604>