Tar pitting automated attacks

Ted Mittelstaedt tedm at toybox.placo.com
Thu Sep 9 08:00:36 PDT 2004

> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Mike Hauber
> Sent: Wednesday, September 08, 2004 9:35 AM
> To: freebsd-questions at freebsd.org
> Subject: Re: Tar pitting automated attacks
> I realize this is probably a dumb question (I quietly drop 
> everything incoming unless it's keep-state, and I only 
> allow ssh internally)...
> If you're needing to ssh to your machine from a limited 
> range of IPs, then why not tell your PF to drop incoming 
> unless it's within that range?

Yes, that is how it is usually done.  But the OP's goal was
to tie up the attacker's resources so the attacker cannot go
and bang on other people.

Blocking access to the ssh port to most of the Internet actually
helps the attacker, because the attacker will attempt to open
a connection, and 5 minutes later when the connection open has
still not completed, the attacker will mark off that IP and continue
onto attacking the next person.

So it comes down to what do you want - if you want to clean your
logs and not be attacked, then use port filtering, otherwise
if you want to waste attackers resources, make sure your ssh port
is available, and use good passwords so an attack won't succeed.

tarpitting is equivalent to port filtering from the attackers
point of view - they know how to detect a tar pit and will move
on and not get stuck in it.


More information about the freebsd-questions mailing list