Tar pitting automated attacks
Ted Mittelstaedt
tedm at toybox.placo.com
Wed Sep 8 08:55:50 PDT 2004
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Mike Galvez
> Sent: Wednesday, September 08, 2004 7:55 AM
> To: Ted Mittelstaedt
> >
> > If you successfully erect a network block, the cracker's software
> > will just go to the next IP in the sequence to attack. Your actually
> > doing more damage to the cracker's distributed network by your SSH
> > server patiently saying no, no, no, no, no, no, etc. for 20-50 thousand
> > times, because that ties the cracked PC up for a lot longer just working
> > away at your system.
>
> This is why I was curious about tar-pitting. The attacker is banging away
> at common user accounts every 3 to 5 seconds sometimes more than
> a thousand
> times. A tar pit or something like it could slow the attack to maybe four
> attempts in an hour as opposed to a thousand.
>
No it won't because the attackers know they are unloved, and they use
scanning
software that will abandon the attempt after a settable timeout.
Try running Nessus sometime against a tarpitted IP. Tarpits were fine
against
extremely unsophisticated software but the war has moved on.
Ted
More information about the freebsd-questions
mailing list