Matt Sergeant wrote:
On 6 Mar 2005, at 04:06, Bob wrote:
Would this mean any change for pperling plugins?
It shouldn't do.
I'd like to have qpsmtpd and gatling and tinydns running faster than wire speed, beat the ddossing maggots that way.
Not sure how you have things running faster than wire speed, but whatever floats your boat :-)
...slow wire! About the KBytesps you were testing.
Could you fork off a tarpit, qpsmtpd DONE, and
Tarpitting is trivial with this setup - no need to fork off and forget it because extra connections don't use up any more CPU/memory, so you just keep hold of the connection and tarpit for as long as you want.
[Though I do need to write a tarpit module to do this, but it's like 20 lines of code]
Matt.
Experience informs us that will not mean too many extra connections(double max connect, so what), and it just needs to handle a reset once in a while to convince the mark to stay with us until our choice of timeout. People are saying they can tarpit connections for days, and many aren't even smart enough to request at intervals --tarpitting cause somebody to realize they have a trojaned pc.
All a big ISP would need to survive a bulk flood would be something like a twenty second tarpit. Allegedly half of the connections can be finessed to hang on for days with reset support, honeypots should do that.
My aim is to tarpit the dictionary scans to pre-occupy their scouts, their eyes, and to make them expose more IP's during dictionary scans, as well as more cycles. I guess they can play "assymetrical", too, though.
It's better to honeypot tarpit than greylist the first attempt, because too many are too stupid to come back, but stupid enough to hang around, tarpitted. Rule one,"When in doubt, fail to do no harm".
-Bob
