PHWinfo - Afficher un message

02/09/2006, 04h31

"shrike@cyberspace.org" <shrike@cyberspace.org> (06-08-19 19:55:23):

> > > Why just slow them if you can stop them?
> >
> > Easy. Slowing them down saves bandwidth for the whole internet. As
> > long as the scanner 'hangs' on scanning your box, it won't issue too
> > much traffic. If you banned them, then they would just go further
> > and scan the next box. There are in fact scanners, which could
> > simultaneously scan multiple boxes, but that is rather rare. Even
> > then, if _many_ people ed slowing them down, then a lot of
> > useless traffic would be saved.
>
> Until the blackhat integrates the polling with simple flatfile
> database to distribute the attack on a per password basis. 20 lines of
> Perl would probably be adequate.
>
> Ultimately the solution is for an agency to provide the tarpit as a
> proxy. Once the connection is determined to be offensive, the socket
> should be forwarded to a server run by the police with an out-of-band
> session to provide the true source address and related statistics. One
> honeypot, many parallel data flows pointing back at the origin.

That's not a solution, because many, if not most of these attacks come
from innocent people, who don't even know about it. I'd rather call
these SSH _worms_, because they spread like them.

Regards,
E.S.

02/09/2006, 04h31	#2
Ertugrul Soeylemez Messages: n/a Hébergeur:	Re: ssh dictionary attacks "shrike@cyberspace.org" <shrike@cyberspace.org> (06-08-19 19:55:23): > > > Why just slow them if you can stop them? > > > > Easy. Slowing them down saves bandwidth for the whole internet. As > > long as the scanner 'hangs' on scanning your box, it won't issue too > > much traffic. If you banned them, then they would just go further > > and scan the next box. There are in fact scanners, which could > > simultaneously scan multiple boxes, but that is rather rare. Even > > then, if _many_ people ed slowing them down, then a lot of > > useless traffic would be saved. > > Until the blackhat integrates the polling with simple flatfile > database to distribute the attack on a per password basis. 20 lines of > Perl would probably be adequate. > > Ultimately the solution is for an agency to provide the tarpit as a > proxy. Once the connection is determined to be offensive, the socket > should be forwarded to a server run by the police with an out-of-band > session to provide the true source address and related statistics. One > honeypot, many parallel data flows pointing back at the origin. That's not a solution, because many, if not most of these attacks come from innocent people, who don't even know about it. I'd rather call these SSH _worms_, because they spread like them. Regards, E.S.