Axel Thimm wrote:

>>>
>>> So new connections are not helping the attacker, in fact the attacker
>>> is the one now losing resources per connection, your system isn't
>>> sloting anything anymore.
>> It doesn't prevent the remote attacker opening a new connexion every, say,
>> one minute,
>
> Of course it does. Once tarpitted it will remain that way. Every
> attempted connection lands in the tarpit w/ no resources used from
> your side.
>
>> and it doesn't prevent his timing out himself in less than tha.
>> Say 1 minute.
>>
>> Resources are cheap, _they_ use other peoples' computers and internet
>> accounts.
>
> Whatever their resource pool you slow it down by consuming it w/o
> consuming any of your's. Good for you and other fellow sysadmins that
> are attacked at the same time.
>

Why would the attacker be attacking only one system? I wouldn't, I might
be trying 10, 20 maybe more in parallel, depending on how good my
connexion seems to be.

I have seen a successful attack. An automaton found a weakness,
installed some stuff and notified "the boss."

The Boss came in later, and in the case I saw installed an IRC bot.


Finding a tarpit will slow down just one of the processes/threads, and
not for long unless it's poorly programmed.

You, the defender, have to comply with the applicable standards wrt any
services you offer.

I, the attacker, can adjust the timeouts to suit my requirements. If you
seem to me to be tardy replying, I can ignore the 30 second or whatever
timeout, and time out myself in ten if I want.



>>>> and has no effect at all on other members of a botnet.
>>> A DDoS is harder to fence off (and in general harder to detect before
>>> the system collapses), but you scale it down to only a few connections
>>> per attacker and not hundreds of connections per attacker.
>> I'm not saying DDoS; a botnet can run through its list of candidate names
>> and passwords, one or two every so often per host, and in between times
>> they try others.
>
> If tarpitted you decide when to untar them. If you place a high
> untarring time like one hour then the attacker has 24 tries per day,
> not really much to inflict any damage.

If I seriously want to test you, I can aim my entire botnet at you if I
wish. If you think you're allowing me 24 attempts in a day, and I'm
aiming as few as 100 bots at you, then that gives me 2400 attempts in
the day.
>
>> We're talking about criminals here, not your average teenage pest.
>
> So there is a difference? ;)

I think you will find the criminals more determined, and probably better
researched.

Me, I prefer not to play those games.


--

Cheers
John

-- spambait
1aaaaaaa@(protected)
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

_______________________________________________
rhelv5-list mailing list
rhelv5-list@(protected)
https://www.redhat.com/mailman/listinfo/rhelv5-list