Tar pitting automated attacks

Mike Galvez hoosyerdaddy at virginia.edu
Wed Sep 8 07:56:07 PDT 2004 

On Wed, Sep 08, 2004 at 01:19:15AM -0700, Ted Mittelstaedt wrote:
> 
> 
> > -----Original Message-----
> > From: owner-freebsd-questions at freebsd.org
> > [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Mike Galvez
> > Sent: Tuesday, September 07, 2004 6:42 AM
> > To: freebsd-questions at freebsd.org
> > Subject: Tar pitting automated attacks
> > 
> > 
> > Is there a method to make this more expensive to the attacker, 
> > such as tar-pitting?
> > 
> 
> No.  These days attackers use distributed networks of cracked PCs
> to launch attacks.  The vast bulk of these attacks is automated.
> The cracker merely feeds in a job and pushes it to his network to
> work away at.  Most of the time the cracker spends is in adding new
> machines that have vulnerabilities into his distributed network of
> cracked PCs
> 
> If you successfully erect a network block, the cracker's software
> will just go to the next IP in the sequence to attack.  Your actually
> doing more damage to the cracker's distributed network by your SSH
> server patiently saying no, no, no, no, no, no, etc. for 20-50 thousand
> times, because that ties the cracked PC up for a lot longer just working
> away at your system.

This is why I was curious about tar-pitting. The attacker is banging away
at common user accounts every 3 to 5 seconds sometimes more than a thousand
times. A tar pit or something like it could slow the attack to maybe four
attempts in an hour as opposed to a thousand.

I am still looking for my passive-aggressive solution.

  I presume of course that you aren't using guessible
> passwords and you have everything patched to current levels.
> 
> if you want to do damage to the attacker, you need to
> make a good effort at reporting the source IP numbers to the netblock
> managers the IP is part of.  Granted, 3/4 of the time the netblock
> managers won't do anything about it.

Reporting these to ISPs is like shouting at the ocean. They are most likely
overwhelmed, indifferent or both.

  But whenever they do, it usually
> takes that cracked PC out of the distributed network.  That is what
> costs the cracker because then the cracker has to expend 
> work replacing it with another cracked PC.
> 
> But, it is a lot like trying to pick up spilled spaghetti with tweezers.
> There's so many cracked PC's out there that as soon as you get one
> taken down, there's plenty more where that came from.
> 
> Now, if you REALLY want to damage the attacker, you throw the works at
> the IP numbers that are scanning you, and find the back door that the
> cracker is using on those hosts, then go in and hard-code the homepage
> on their web broswer to something like http://www.fuckyou.com, making sure
> to use one of those cracker programs that makes it impossible for them
> to change it back.  That is usually sufficient to get the owner of the
> cracked PC off their lazy ass to get their machine cleaned up.
> 
> Ted
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

-- 
Michael Galvez
Information Technology Specialist     University of Virginia
USENIX Member

More information about the freebsd-questions mailing list