[nycbug-talk] tarpitting

George Georgalis george
Fri Jul 29 11:39:41 EDT 2005


On Thu, Jul 28, 2005 at 01:54:00PM -0400, michael wrote:
>On Thu, 28 Jul 2005 12:58:36 -0400
>"George Georgalis" <george at galis.org> wrote:
>
>> How many connections can openbsd sustain in a tarpit capacity?  How
>> effective is tarpitting against attackers? Isn't an attacker able
>> to release a tcp connect that gets tarpitted? (even if he must
>> intentionally do so or code to do so?)
>> 
>> (I'm not really concerned about slowing worms here, but that is an
>> obvious advantage, if the worm is not smart enough to release the
>> connection.)
>> 
>> // George
>> 
>
>Here's the presentation by Bob Beck.  It may have some answers.
>http://www.openbsd.org/papers/bsdcan05-spamd/


Thanks for finding that, my migration plan to bsd has stopped due to
a disk device numbering problem, which needs be resolved or my plan
changed, but I have no question about using spamd, when I have the
infrastructure for it, it looks like a really effective tool. (I know a
firewall can run on a soekris but I'm not going to develop on one, and
the dev box I've build has the disk problem)

My question was really to address elements which scan 65000 ports of
each of my IPs. It generates a lot of logs if I track it, rejects are
too polite and are really an aid to the attacker, and with a drop policy
the attacker hits a new port about once per second.

I presume his tool/kernel is specially crafted to only spend a short
time waiting for a response when he reached port I drop, so I was
wondering if "tarpitting" that case would be at all useful? My gut
feeling is no, they only work when remote is expecting a service, not
just checking.

// George


-- 
George Georgalis, systems architect, administrator <IXOYE><
http://galis.org/ cell:646-331-2027 mailto:george at galis.org




More information about the talk mailing list