Date: Wed, 8 Sep 2004 10:54:59 -0400 From: Mike Galvez <hoosyerdaddy@virginia.edu> To: Ted Mittelstaedt <tedm@toybox.placo.com> Cc: freebsd-questions@freebsd.org Subject: Re: Tar pitting automated attacks Message-ID: <20040908145459.GA19090@humpty.finadmin.virginia.edu> In-Reply-To: <LOBBIFDAGNMAMLGJJCKNCEEGEPAA.tedm@toybox.placo.com> References: <20040907134216.GB14884@humpty.finadmin.virginia.edu> <LOBBIFDAGNMAMLGJJCKNCEEGEPAA.tedm@toybox.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 08, 2004 at 01:19:15AM -0700, Ted Mittelstaedt wrote: > > > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Mike Galvez > > Sent: Tuesday, September 07, 2004 6:42 AM > > To: freebsd-questions@freebsd.org > > Subject: Tar pitting automated attacks > > > > > > Is there a method to make this more expensive to the attacker, > > such as tar-pitting? > > > > No. These days attackers use distributed networks of cracked PCs > to launch attacks. The vast bulk of these attacks is automated. > The cracker merely feeds in a job and pushes it to his network to > work away at. Most of the time the cracker spends is in adding new > machines that have vulnerabilities into his distributed network of > cracked PCs > > If you successfully erect a network block, the cracker's software > will just go to the next IP in the sequence to attack. Your actually > doing more damage to the cracker's distributed network by your SSH > server patiently saying no, no, no, no, no, no, etc. for 20-50 thousand > times, because that ties the cracked PC up for a lot longer just working > away at your system. This is why I was curious about tar-pitting. The attacker is banging away at common user accounts every 3 to 5 seconds sometimes more than a thousand times. A tar pit or something like it could slow the attack to maybe four attempts in an hour as opposed to a thousand. I am still looking for my passive-aggressive solution. I presume of course that you aren't using guessible > passwords and you have everything patched to current levels. > > if you want to do damage to the attacker, you need to > make a good effort at reporting the source IP numbers to the netblock > managers the IP is part of. Granted, 3/4 of the time the netblock > managers won't do anything about it. Reporting these to ISPs is like shouting at the ocean. They are most likely overwhelmed, indifferent or both. But whenever they do, it usually > takes that cracked PC out of the distributed network. That is what > costs the cracker because then the cracker has to expend > work replacing it with another cracked PC. > > But, it is a lot like trying to pick up spilled spaghetti with tweezers. > There's so many cracked PC's out there that as soon as you get one > taken down, there's plenty more where that came from. > > Now, if you REALLY want to damage the attacker, you throw the works at > the IP numbers that are scanning you, and find the back door that the > cracker is using on those hosts, then go in and hard-code the homepage > on their web broswer to something like http://www.fuckyou.com, making sure > to use one of those cracker programs that makes it impossible for them > to change it back. That is usually sufficient to get the owner of the > cracked PC off their lazy ass to get their machine cleaned up. > > Ted > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Michael Galvez Information Technology Specialist University of Virginia USENIX Member
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040908145459.GA19090>