Tar pitting automated attacks

Ted Mittelstaedt tedm at toybox.placo.com
Wed Sep 8 01:19:30 PDT 2004



> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Mike Galvez
> Sent: Tuesday, September 07, 2004 6:42 AM
> To: freebsd-questions at freebsd.org
> Subject: Tar pitting automated attacks
> 
> 
> Is there a method to make this more expensive to the attacker, 
> such as tar-pitting?
> 

No.  These days attackers use distributed networks of cracked PCs
to launch attacks.  The vast bulk of these attacks is automated.
The cracker merely feeds in a job and pushes it to his network to
work away at.  Most of the time the cracker spends is in adding new
machines that have vulnerabilities into his distributed network of
cracked PCs

If you successfully erect a network block, the cracker's software
will just go to the next IP in the sequence to attack.  Your actually
doing more damage to the cracker's distributed network by your SSH
server patiently saying no, no, no, no, no, no, etc. for 20-50 thousand
times, because that ties the cracked PC up for a lot longer just working
away at your system.  I presume of course that you aren't using guessible
passwords and you have everything patched to current levels.

if you want to do damage to the attacker, you need to
make a good effort at reporting the source IP numbers to the netblock
managers the IP is part of.  Granted, 3/4 of the time the netblock
managers won't do anything about it.  But whenever they do, it usually
takes that cracked PC out of the distributed network.  That is what
costs the cracker because then the cracker has to expend 
work replacing it with another cracked PC.

But, it is a lot like trying to pick up spilled spaghetti with tweezers.
There's so many cracked PC's out there that as soon as you get one
taken down, there's plenty more where that came from.

Now, if you REALLY want to damage the attacker, you throw the works at
the IP numbers that are scanning you, and find the back door that the
cracker is using on those hosts, then go in and hard-code the homepage
on their web broswer to something like http://www.fuckyou.com, making sure
to use one of those cracker programs that makes it impossible for them
to change it back.  That is usually sufficient to get the owner of the
cracked PC off their lazy ass to get their machine cleaned up.

Ted


More information about the freebsd-questions mailing list