From owner-freebsd-questions@FreeBSD.ORG Wed Sep 8 14:56:07 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE3DF16A522 for ; Wed, 8 Sep 2004 14:56:06 +0000 (GMT) Received: from humpty.finadmin.virginia.edu (humpty.finadmin.Virginia.EDU [128.143.87.245]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6092843D31 for ; Wed, 8 Sep 2004 14:56:06 +0000 (GMT) (envelope-from mrg8n@virginia.edu) Received: from humpty.finadmin.virginia.edu (localhost.finadmin.virginia.edu [127.0.0.1])i88Esxxk019193; Wed, 8 Sep 2004 10:54:59 -0400 (EDT) (envelope-from mrg8n@humpty.finadmin.virginia.edu) Received: (from mrg8n@localhost)i88EsxDj019192; Wed, 8 Sep 2004 10:54:59 -0400 (EDT) Date: Wed, 8 Sep 2004 10:54:59 -0400 From: Mike Galvez To: Ted Mittelstaedt Message-ID: <20040908145459.GA19090@humpty.finadmin.virginia.edu> References: <20040907134216.GB14884@humpty.finadmin.virginia.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD UNIX cc: freebsd-questions@freebsd.org Subject: Re: Tar pitting automated attacks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2004 14:56:07 -0000 On Wed, Sep 08, 2004 at 01:19:15AM -0700, Ted Mittelstaedt wrote: > > > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Mike Galvez > > Sent: Tuesday, September 07, 2004 6:42 AM > > To: freebsd-questions@freebsd.org > > Subject: Tar pitting automated attacks > > > > > > Is there a method to make this more expensive to the attacker, > > such as tar-pitting? > > > > No. These days attackers use distributed networks of cracked PCs > to launch attacks. The vast bulk of these attacks is automated. > The cracker merely feeds in a job and pushes it to his network to > work away at. Most of the time the cracker spends is in adding new > machines that have vulnerabilities into his distributed network of > cracked PCs > > If you successfully erect a network block, the cracker's software > will just go to the next IP in the sequence to attack. Your actually > doing more damage to the cracker's distributed network by your SSH > server patiently saying no, no, no, no, no, no, etc. for 20-50 thousand > times, because that ties the cracked PC up for a lot longer just working > away at your system. This is why I was curious about tar-pitting. The attacker is banging away at common user accounts every 3 to 5 seconds sometimes more than a thousand times. A tar pit or something like it could slow the attack to maybe four attempts in an hour as opposed to a thousand. I am still looking for my passive-aggressive solution. I presume of course that you aren't using guessible > passwords and you have everything patched to current levels. > > if you want to do damage to the attacker, you need to > make a good effort at reporting the source IP numbers to the netblock > managers the IP is part of. Granted, 3/4 of the time the netblock > managers won't do anything about it. Reporting these to ISPs is like shouting at the ocean. They are most likely overwhelmed, indifferent or both. But whenever they do, it usually > takes that cracked PC out of the distributed network. That is what > costs the cracker because then the cracker has to expend > work replacing it with another cracked PC. > > But, it is a lot like trying to pick up spilled spaghetti with tweezers. > There's so many cracked PC's out there that as soon as you get one > taken down, there's plenty more where that came from. > > Now, if you REALLY want to damage the attacker, you throw the works at > the IP numbers that are scanning you, and find the back door that the > cracker is using on those hosts, then go in and hard-code the homepage > on their web broswer to something like http://www.fuckyou.com, making sure > to use one of those cracker programs that makes it impossible for them > to change it back. That is usually sufficient to get the owner of the > cracked PC off their lazy ass to get their machine cleaned up. > > Ted > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Michael Galvez Information Technology Specialist University of Virginia USENIX Member