On 1 Jan 2008 [EMAIL PROTECTED] wrote: > However, labrea may be great software ... but it is certainly not > the software one wants to compete with a live machine for incoming > connections.
The way I run it, the IP addresses being tarpitted are IP addresses that would be rejected anyway by zen et. al. DNSBL checks - they are repeat offenders that have already been firewalled out (thus the MTA never sees the traffic) and adding LaBrea simply adds a trap-the-attacker response to the SYN packet rather than just discarding the traffic. The overall load is *very* small on my end, and falls more on the kernel for BPF matching the packets from the list of tarpitted hosts. The net effect is the load on the MTA is *reduced*. > If the target mailserver offers unlimited connections, sleeping a > while might help (but consume process resources). If it has a > maximum incoming connections setiing, tarpitting would cause the > server to block itself When I say "tarpit" I don't mean an MTA-native "slow the SMTP conversation down" model, I mean a genuine TCP tarpit that plays games with window sizes to trap the attacker - that's what LaBrea does. I don't think the MTA should be tasked with tarpitting. Tarpitting is a job for a dedicated tool. The most an MTA should do along these lines is slowing responses after X number of bad recipient addresses appear (assuming you don't simply terminate the session). But this doesn't really have much to do with SA... -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ [EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- If Microsoft made hammers, everyone would whine about how poorly screws were designed and about how they are hard to hammer in, and wonder why it takes so long to paint a wall using the hammer. ----------------------------------------------------------------------- 144 days until the Mars Phoenix lander arrives at Mars
