Michael Monnerie wrote:
On Donnerstag, 13. April 2006 18:15 mouss wrote:
pfff. just reading the two first paragraphs is enough to look
elsewhere. some people seem to redefine what a false positive is.
I didn't mean that, I meant the tarpitting approach. Of course you have
to set some (much) harder policy on which systems to put on your
tarpit-blackhole list.
But *if* you have such a "tarpit decider without FP" (not sure how to do
that...), couldn't this be a very good countermeasure to spam?
The issue is that:
- to tarpit, you need to devote some process or thread to that. and this
is not unix specific. however you do, you'll need something to handle
it. even with a packet filter, this still means many unnecessary states.
- the best you can do (at user level) is have an asynchronous process
(which can handle many connections) to do so. now, either it is the
listener, but then it needs to pass "good" connections to "good"
listeners (which ones support this?) or the opposite (which ones support
this?). of course, you can tune this to the point that you'd write a
spam-OS. just to discover that spamers found othre ways to get to you.
- the most severe problem is to find a criteria to decide who is bad.
This is what we're all trying to do! If I knew which clients are used by
spamers, I would need no tarpit nor DNSBL nor SA nor bayes. I would just
block these.
- sometimes, some ideas seem fine. but they don't resist serious
analysis. you want to protect yourself, but that's just part of your
goal. you want to do so at a limited cost and under some (non explicit
but real) conditions (killing all the non-white people will
statistically reduce terrorism, but would you do that?).
I have already seen systems that get idle when I connect to them. These
systems just make me use my resources in vain, which is not a good
practice. And I tend to believe these systems are driven by nuts, so are
easily attacked (I never do that, for both personal and professional
reasons. The best way to deal with them is to ignore them. route add,
transport_maps, ... are enough to build one's own internet:)