Re: Tarpitting (was Re: Spam harvesting using Fake Authentication)

Mon, 19 Aug 2013 08:37:57 -0700 

On Mon, 19 Aug 2013, David F. Skoll wrote:


On Mon, 19 Aug 2013 07:52:15 -0700 (PDT)
John Hardin <jhar...@impsec.org> wrote:


Have you considered TCP Tarpitting instead of just blocking them?
Blocking them doesn't actually *punish* them. Getting their MTAs
*stuck* for hours or days does.



IMO, tarpitting is useless.  When you have hundreds, thousands or
more compromised zombie computers at your disposal, you're not even
going to notice tarpitting.



How likely is a repeat offender to be a zombie?


Very.  It'll be the same offender, but most likely a different zombie.
Forgive me, my question was unclear. By "repeat offender" I meant "IP address". 


It seems to me that greylisting and TCP tarpitting catch both sides
of the problem. Greylisting blocks junk from the single-attempt
zombies, and TCP tarpitting will catch the ones who are persistent
offenders.


In my opinion, greylisting is worth the tradeoff because it actually works;
I have data to back that up.  I do not have data to show that tarpitting
does any good and my gut feeling is that it doesn't.


We can't solve the problem completely with this, so it's not worth
the effort to *reduce* the problem?


Again in my opinion, tarpitting doesn't even reduce the problem
measurably.  Do you have data to show that tarpitting is actually
effective?


No data, only anecdotes.
I only run services for three domains with a couple of users each; I don't really have a good source of any statistically-meaningful data and I haven't run any kind of formal analysis of what little I do have. I'm also somewhat conservative on when an IP gets added to the SMTP tarpit list.
In addition, tarpitting is at least partly intended to help *others*, by getting the attacker stuck before it moves on to the next target.
FWIW I also do it for PHP scans and it seems somewhat effective there. It's *very* effective for MSSQL scanners. 

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  USMC Rules of Gunfighting #4: If your shooting stance is good,
  you're probably not moving fast enough nor using cover correctly.
-----------------------------------------------------------------------
 5 days until the 1934th anniversary of the destruction of Pompeii

Reply via email to