[nycbug-talk] tarpitting

Jonathan Vanasco jvanasco
Thu Jul 28 14:02:45 EDT 2005 

just a related link:

	http://sa-exim.sf.net

is similar.  its spamassassin compiled into the exim MTA at local_scan, 
with thresholds set for tarpitting (called teergrubing) and other fun 
things

i use it on my deb box build from source fairly well,  there's a port 
of it on freebsd ports/mail , but i haven't gotten to installing it yet


On Jul 28, 2005, at 1:54 PM, michael wrote:

> On Thu, 28 Jul 2005 12:58:36 -0400
> "George Georgalis" <george at galis.org> wrote:
>
>> How many connections can openbsd sustain in a tarpit capacity?  How
>> effective is tarpitting against attackers? Isn't an attacker able
>> to release a tcp connect that gets tarpitted? (even if he must
>> intentionally do so or code to do so?)
>>
>> (I'm not really concerned about slowing worms here, but that is an
>> obvious advantage, if the worm is not smart enough to release the
>> connection.)
>>
>> // George
>>
>
> Here's the presentation by Bob Beck.  It may have some answers.
> http://www.openbsd.org/papers/bsdcan05-spamd/
>
> Yes, they can release a tcp connection, as as the paper points out.
> That is fine, they go away.  It turns out, they disconnect within a
> predictable pattern.
>
> I have a light duty mail gateway that uses tarpitting.  It currently 
> has
> around 30K entries in the spamdb, of which 18k are currently grey, with
> around 500 currently connected (established, fin_wait, or closing) to
> port 25.. if that helps.
>
> TIMEOUTS:
> tcp.first                   120s
> tcp.opening                  30s
> tcp.established           86400s
> tcp.closing                 900s
> tcp.finwait                  45s
> tcp.closed                   90s
> tcp.tsdiff                   30s
> udp.first                    60s
> udp.single                   30s
> udp.multiple                 60s
> icmp.first                   20s
> icmp.error                   10s
> other.first                  60s
> other.single                 30s
> other.multiple               60s
> frag                         30s
> interval                     10s
> adaptive.start                0 states
> adaptive.end                  0 states
> src.track                     0s
>
> LIMITS:
> states     hard limit  10000
> src-nodes  hard limit  10000
> frags      hard limit   5000
>
>
> Michael
> -- 
> _______________________________________________
> % NYC*BUG talk mailing list
> http://lists.nycbug.org/mailman/listinfo/talk
> %Be sure to check out our Jobs and NYCBUG-announce lists
> %We meet the first Wednesday of the month

More information about the talk mailing list