On Wed, Apr 17, 2013 at 01:45:22PM -0400, Christopher Schultz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > André, > > On 4/17/13 1:27 PM, André Warnier wrote: > > Leo Donahue - RDSA IT wrote: > >>> -----Original Message----- From: André Warnier > >>> [mailto:a...@ice-sa.com] Subject: Re: Tomcat access log reveals > >>> hack attempt: "HEAD /manager/html HTTP/1.0" 404 > >>> > >>> > >>> That's the idea. That is one reason why I brought this > >>> discussion here : to check if, if the default factory setting > >>> was for example 1000 ms delay for each 404 answer, could anyone > >>> think of a severe detrimental side-effect ? > >> > >> What if I send 10,000 requests to your server for some file that > >> is not there? > > > > Then you will just have to wait 10,000+ seconds in total before you > > get all your corresponding 404 responses. Which is exactly the > > point. > > Sounds like a DOS to me. What you really want to do is detect an > attacker (or annoying client) and block them without having to use > your own resources. Maintaining a socket connection for an extra > second you don't otherwise have to do is using a resource, even if the > CPU is entirely idle, and even if you can return the > request-processing thread to the thread-pool before you wait that 1 > second to respond.
Good advice in general, but "what you want to do" depends on what you intend to accomplish. If your objective is to carry on with legitimate business without too much interference from the bots, then the thing to do is to detect bots and stop listening to them. I think that André's argument is that we might prefer a different objective: to spend (a reasonable amount of) resources to harm bot performance so that people stop deploying the nasty things. This is worth pondering. It fits nicely with the view that "there are two classes of threats: those properly dealt with, and those still alive." The problem with active resistance is, of course, that when the bad guys stop deploying bots they'll start doing something else. To be effective for more than a moment, we need to surround all the enemy's tactical options. At that point a smart enemy will give up and go home, while a stupid (or desperate) one will come on and be destroyed. Either way, you win. But this is very hard to arrange. So we have to consider what going active will cost, and how the enemy's behavior will change. The reward is still there for him if he can grasp it. What's the next soft spot, and can we defend or harden it? Can we afford to win the bot battle, or is it better to just shrug them off? -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient.
signature.asc
Description: Digital signature
