On Sat, 2004-09-11 at 12:21, Kenneth Porter wrote:
> --On Saturday, September 11, 2004 12:10 PM -0700 John Hardin
> <[EMAIL PROTECTED]> wrote:
>
> > Unfortunately, unless the tarpit responds to the first packet with a
> > SMTP welcome banner, the connection won't be tarpitted for longer than
> > the "wait for SMTP welcome" timeout in the client. You need to convince
> > the for end to send some data before they'll get stuck.
>
> I don't understand. This particular connection was repeatedly sending the
> same request over and over (hence my comment of "moron") so a tarpit would
> stop the connection but act like a keepalive, keeping the other side from
> dropping the connection but also not accepting any further data.
The way a tarpit roughly works is it sets the TCP receive window size to
zero and stops acknowledging receipt of packets. If the other side has
data to send, it will send an empty packet (TCP/IP header + no data) and
wait a very long time for an ACK.
The way the SMTP protocol is constructed, the client opens a connection
and waits for a welcome banner before sending data. If the connection is
tarpitted immediately, then the client never receives the welcome banner
and never gets tarpitted, and will (presumably) exit after a short wait
for the banner. Ideally you send a SMTP welcome banner like:
220 Welcome to the tarpit!
before tarpitting the connection, in order to get the client to start
sending data. I've been trying for a long time to convince Tom to add
this capability to LaBrea for precisely this reason. (Hi, Tom!)
This assumes, of course, that the client is well-behaved. I can see the
possibility of a ratware spam client assuming the SMTP server will send
all the proper responses and just spew out the entirety of it's side of
the exchange without waiting for those responses. This might be
poassible to tarpit without a welcome banner, but I wouldn't rely on the
client being that poorly written.
--
John Hardin KA7OHZ <[EMAIL PROTECTED]>
Internal Systems Administrator voice: (425) 672-1304
Apropos Retail Management Systems, Inc. fax: (425) 672-0192
-----------------------------------------------------------------------
If you smash a computer to bits with a mallet, that appears to count
as encryption in the state of Nevada.
- CRYPTO-GRAM 12/2001
-----------------------------------------------------------------------
