John D. Hardin wrote: > On Tue, 1 Jan 2008, mouss wrote: > > >> Tarpitting may not be the right answer, because "they" have a lot >> more resources than us >> > > I may have misunderstood what Mike was saying in his original post - I > thought that the traffic was originating from a single IP and that was > what he had firewalled. Later messages indicate he's being flooded by > a botnet and he'd firewalled his local IP, so tarpitting is obviously > a less attractive solution - but, consider: if a few thousand bots get > snared in his tarpit, are they blocked from spamming others for as > long as they are snared? A tarpit is as much a community defense as it > is a personal defense. >
This assumes that a lot of people use tarpitting, but it doesn't seem to be so AFAIK. I don't know how botnet spamware is coded, but given the advances in botnet practices, I would bet their "developpers" are skilled enough to code an asynchronous client with non blocking IO. so while keeping them connected for some time means the client system will have more open connections, this isn't enough to get them noticed. > Agreed, a DNSBL using the zen list is a better way to defend against a > spambot network. > at least as long as zombies aren't blocked by local firewalls or by their ISPs!
