PHWinfo - Afficher un message

20/08/2006, 03h55

Ertugrul Soeylemez wrote:
> "René Berber" <rberber@mailandnews.com> (06-08-15 15:07:56):
>
> > > This is something that comes up once in a while... I've been subject
> > > to them as well.
> > >
> > > I've come across a couple of projects that build a 'tarpit' for
> > > attackers - the first one is for SMTP and the second one is more
> > > generic.
> > >
> > > I've often wondered if one couldn't use this to at least slow down a
> > > dictionary attack on ssh. It wouldn't do much good for a
> > > distributed attack, but it might for an attack comming from a few
> > > hosts.
> > >
> > > Any thoughts? Comments? This is sort of a curiosity quesiton for
> > > me; I don't know enough to really make a solid judgement if this
> > > would be useful.
> >
> > Why just slow them if you can stop them?
>
> Easy. Slowing them down saves bandwidth for the whole internet. As
> long as the scanner 'hangs' on scanning your box, it won't issue too
> much traffic. If you banned them, then they would just go further and
> scan the next box. There are in fact scanners, which could
> simultaneously scan multiple boxes, but that is rather rare. Even then,
> if _many_ people ed slowing them down, then a lot of useless traffic
> would be saved.
>
>
> Regards,
> E.S.

Until the blackhat integrates the polling with simple flatfile database
to distribute the attack on a per password basis. 20 lines of Perl
would probably be adequate.

Ultimately the solution is for an agency to provide the tarpit as a
proxy. Once the connection is determined to be offensive, the socket
should be forwarded to a server run by the police with an out-of-band
session to provide the true source address and related statistics. One
honeypot, many parallel data flows pointing back at the origin.

Billions are lost every year because of this kind of crap, and after a
decade of Public Internet, the investigative capacity of domestic
police has not evolved past inspecting its own colon. Any jackass can
write this kind of code. It is not significantly more complex than say:
Napster.

The people whose job it is to do it, don't understand the stakes or the
job, and the little light that has shown on them has been capitalized
into moral crusades. The people who do know, won't waste their time
because they would rather be productive than persue employment in
computerized colonoscopy. Snake oil peddlers dominate the marketspace
as a result. Same B.S. different day.

-Failure to understand strategy permits the perversion of the concept
of security.
-You are most likely to be exploited by those you hire to exploit
others.

-Matt

20/08/2006, 03h55	#1
shrike@cyberspace.org Messages: n/a Hébergeur:	Re: ssh dictionary attacks Ertugrul Soeylemez wrote: > "René Berber" <rberber@mailandnews.com> (06-08-15 15:07:56): > > > > This is something that comes up once in a while... I've been subject > > > to them as well. > > > > > > I've come across a couple of projects that build a 'tarpit' for > > > attackers - the first one is for SMTP and the second one is more > > > generic. > > > > > > I've often wondered if one couldn't use this to at least slow down a > > > dictionary attack on ssh. It wouldn't do much good for a > > > distributed attack, but it might for an attack comming from a few > > > hosts. > > > > > > Any thoughts? Comments? This is sort of a curiosity quesiton for > > > me; I don't know enough to really make a solid judgement if this > > > would be useful. > > > > Why just slow them if you can stop them? > > Easy. Slowing them down saves bandwidth for the whole internet. As > long as the scanner 'hangs' on scanning your box, it won't issue too > much traffic. If you banned them, then they would just go further and > scan the next box. There are in fact scanners, which could > simultaneously scan multiple boxes, but that is rather rare. Even then, > if _many_ people ed slowing them down, then a lot of useless traffic > would be saved. > > > Regards, > E.S. Until the blackhat integrates the polling with simple flatfile database to distribute the attack on a per password basis. 20 lines of Perl would probably be adequate. Ultimately the solution is for an agency to provide the tarpit as a proxy. Once the connection is determined to be offensive, the socket should be forwarded to a server run by the police with an out-of-band session to provide the true source address and related statistics. One honeypot, many parallel data flows pointing back at the origin. Billions are lost every year because of this kind of crap, and after a decade of Public Internet, the investigative capacity of domestic police has not evolved past inspecting its own colon. Any jackass can write this kind of code. It is not significantly more complex than say: Napster. The people whose job it is to do it, don't understand the stakes or the job, and the little light that has shown on them has been capitalized into moral crusades. The people who do know, won't waste their time because they would rather be productive than persue employment in computerized colonoscopy. Snake oil peddlers dominate the marketspace as a result. Same B.S. different day. -Failure to understand strategy permits the perversion of the concept of security. -You are most likely to be exploited by those you hire to exploit others. -Matt