From owner-freebsd-questions@FreeBSD.ORG Wed Sep 8 08:19:30 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 567C616A4CE for ; Wed, 8 Sep 2004 08:19:30 +0000 (GMT) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4C7D43D39 for ; Wed, 8 Sep 2004 08:19:29 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from tedwin2k (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) i888JsW70401; Wed, 8 Sep 2004 01:19:54 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Mike Galvez" , Date: Wed, 8 Sep 2004 01:19:15 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <20040907134216.GB14884@humpty.finadmin.virginia.edu> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Subject: RE: Tar pitting automated attacks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2004 08:19:30 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Mike Galvez > Sent: Tuesday, September 07, 2004 6:42 AM > To: freebsd-questions@freebsd.org > Subject: Tar pitting automated attacks > > > Is there a method to make this more expensive to the attacker, > such as tar-pitting? > No. These days attackers use distributed networks of cracked PCs to launch attacks. The vast bulk of these attacks is automated. The cracker merely feeds in a job and pushes it to his network to work away at. Most of the time the cracker spends is in adding new machines that have vulnerabilities into his distributed network of cracked PCs If you successfully erect a network block, the cracker's software will just go to the next IP in the sequence to attack. Your actually doing more damage to the cracker's distributed network by your SSH server patiently saying no, no, no, no, no, no, etc. for 20-50 thousand times, because that ties the cracked PC up for a lot longer just working away at your system. I presume of course that you aren't using guessible passwords and you have everything patched to current levels. if you want to do damage to the attacker, you need to make a good effort at reporting the source IP numbers to the netblock managers the IP is part of. Granted, 3/4 of the time the netblock managers won't do anything about it. But whenever they do, it usually takes that cracked PC out of the distributed network. That is what costs the cracker because then the cracker has to expend work replacing it with another cracked PC. But, it is a lot like trying to pick up spilled spaghetti with tweezers. There's so many cracked PC's out there that as soon as you get one taken down, there's plenty more where that came from. Now, if you REALLY want to damage the attacker, you throw the works at the IP numbers that are scanning you, and find the back door that the cracker is using on those hosts, then go in and hard-code the homepage on their web broswer to something like http://www.fuckyou.com, making sure to use one of those cracker programs that makes it impossible for them to change it back. That is usually sufficient to get the owner of the cracked PC off their lazy ass to get their machine cleaned up. Ted