On Fri, Feb 01, 2008 at 08:30:19AM +0900, John Summerfield wrote:
> Axel Thimm wrote:
>> On Wed, Jan 30, 2008 at 05:06:20PM +0100, Nick Jennings wrote:
>>> Hi Tim,
>>>
>>> Thanks for your response. I should have mentioned that this server is
>>> meant to be a hosting server for both web and mail, and there is no way
>>> to effectively restrict based on trusted clients.
>>>
>>> Is there anything else perhaps more general for if not preventing, then
>>> deterring and slowing down this kind of attack?
>>
>> Google for tarpitting, that's the method used to slow down malevolent
>> nodes.
>
> I suspect it doesn't work. It's easily worked around. A slow connexion
> doesn't prevent more from being started,

"Adds a TARPIT target to iptables, which captures and holds incoming
TCP connections using no local per-connection resources. Connections
are accepted, but immediately switched to the persist state (0 byte
window), in which the remote side stops sending data and asks to
continue every 60-240 seconds. Attempts to close the connection are
ignored, forcing the remote side to time out the connection in 12-24
minutes."

So new connections are not helping the attacker, in fact the attacker
is the one now losing resources per connection, your system isn't
sloting anything anymore.

> and has no effect at all on other members of a botnet.

A DDoS is harder to fence off (and in general harder to detect before
the system collapses), but you scale it down to only a few connections
per attacker and not hundreds of connections per attacker.
--
Axel.Thimm at ATrpms.net

_______________________________________________
rhelv5-list mailing list
rhelv5-list@(protected)
https://www.redhat.com/mailman/listinfo/rhelv5-list