On Mon, 19 Aug 2013, David F. Skoll wrote:
On Mon, 19 Aug 2013 08:36:14 -0700 (PDT)
John Hardin <jhar...@impsec.org> wrote:
[...]
In addition, tarpitting is at least partly intended to help *others*,
by getting the attacker stuck before it moves on to the next target.
OK; I guess it's just a difference in mindset. I approach the problem
with the following assumptions:
1) I assume that no matter how much computing power I have, the
attacker has at least an order of magnitude more.
2) I assume that no matter how much bandwidth I have, the attacker has
at least an order of magnitude more.
These assumptions are not always true (probably not even usually true),
but they're certainly true for the worst offenders who send the bulk
of spam. They also keep me humble and prevent me from having a false
sense of security.
That's reasonable.
FWIW I also do it for PHP scans and it seems somewhat effective
there. It's *very* effective for MSSQL scanners.
How do you measure the effectiveness?
Not formally, just by the number that get stuck. Those (mssql) at least I
can notify a responsible party with some hope if it getting fixed.
There's also a lot of MS RDP and 5900/tcp traffic stuck recently (and this
is only one server).
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
North Korea: the only country in the world where people would risk
execution to flee to communist China. -- Ride Fast
-----------------------------------------------------------------------
5 days until the 1934th anniversary of the destruction of Pompeii
