Tar pitting automated attacks

Nagilum freebsd at nagilum.org
Fri Sep 10 12:21:20 PDT 2004


Jonathan Chen wrote:

>On Tue, Sep 07, 2004 at 09:42:16AM -0400, Mike Galvez wrote:
>  
>
>>Is there a method to make this more expensive to the attacker, such as tar-pitting?
>>    
>>
>
>Put in a ipfw block on the netblock/country. At the very least it will
>make it pretty slow for the initial TCP handshake.
>
>Cheers.
>  
>
I don't know how this particular scanner works, but if was (to write) a 
scanner which is supposed to scan as many as possible hosts as quickly 
as possible, I would simply start sending out syn's as fast as I can or 
my master told me, without tracking to which hosts I sent one (just do a 
count upwards or something like that). Then I would simply collect those 
hosts that do respond with an ACK and put only them in the queue for 
further processing. Whether your host sends a nak or nothing is the same 
to me.
So I don't think a block will cause any significant harm to these attacks.



More information about the freebsd-questions mailing list