[nycbug-talk] tarpitting
michael
lists
Thu Jul 28 13:54:00 EDT 2005
On Thu, 28 Jul 2005 12:58:36 -0400
"George Georgalis" <george at galis.org> wrote:
> How many connections can openbsd sustain in a tarpit capacity? How
> effective is tarpitting against attackers? Isn't an attacker able
> to release a tcp connect that gets tarpitted? (even if he must
> intentionally do so or code to do so?)
>
> (I'm not really concerned about slowing worms here, but that is an
> obvious advantage, if the worm is not smart enough to release the
> connection.)
>
> // George
>
Here's the presentation by Bob Beck. It may have some answers.
http://www.openbsd.org/papers/bsdcan05-spamd/
Yes, they can release a tcp connection, as as the paper points out.
That is fine, they go away. It turns out, they disconnect within a
predictable pattern.
I have a light duty mail gateway that uses tarpitting. It currently has
around 30K entries in the spamdb, of which 18k are currently grey, with
around 500 currently connected (established, fin_wait, or closing) to
port 25.. if that helps.
TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 0 states
adaptive.end 0 states
src.track 0s
LIMITS:
states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000
Michael
--
More information about the talk
mailing list