Tar pitting automated attacks

Mike Hauber m.hauber at mchsi.com
Thu Sep 9 08:44:27 PDT 2004 

On Thursday 09 September 2004 11:00 am, Ted Mittelstaedt 
proclaimed:
> > -----Original Message-----
> > From: owner-freebsd-questions at freebsd.org
> > [mailto:owner-freebsd-questions at freebsd.org]On Behalf
> > Of Mike Hauber Sent: Wednesday, September 08, 2004 9:35
> > AM
> > To: freebsd-questions at freebsd.org
> > Subject: Re: Tar pitting automated attacks
> >
> >
> > I realize this is probably a dumb question (I quietly
> > drop everything incoming unless it's keep-state, and I
> > only allow ssh internally)...
> >
> > If you're needing to ssh to your machine from a limited
> > range of IPs, then why not tell your PF to drop
> > incoming unless it's within that range?
>
> Yes, that is how it is usually done.  But the OP's goal
> was to tie up the attacker's resources so the attacker
> cannot go and bang on other people.
>
> Blocking access to the ssh port to most of the Internet
> actually helps the attacker, because the attacker will
> attempt to open a connection, and 5 minutes later when
> the connection open has still not completed, the attacker
> will mark off that IP and continue onto attacking the
> next person.
>
> So it comes down to what do you want - if you want to
> clean your logs and not be attacked, then use port
> filtering, otherwise if you want to waste attackers
> resources, make sure your ssh port is available, and use
> good passwords so an attack won't succeed.
>
> tarpitting is equivalent to port filtering from the
> attackers point of view - they know how to detect a tar
> pit and will move on and not get stuck in it.
>
> Ted
>

That makes sense...  I haven't gotten so much into security 
that I would want to "invite" a potential cracker.  I would 
just assume they go and bug someone else (who knows, maybe 
it will result in more BSD admins.  :) )

How difficult would it be to have a "dummy" system setup on 
the LAN where incoming SSH could be transparently routed 
to.  In fact (and even the idea gives me the creeps), how 
difficult would it be to change "root" to something else, 
and then create a dummy root account.  I mean, if one is 
attempting to get a cracker to waste his time, then why not 
wet his whistle and let him think he's actually getting 
somewhere?

I don't know anything about this kind of thing (I'm just not 
devious enough, I guess).  How should I go about googling 
this to learn more?  Is there a term for it?

Thx,

Mike

More information about the freebsd-questions mailing list