[linux-elitists] web server software for tarpitting?

Gerald Oskoboiny gerald@impressive.net
Thu Feb 14 19:42:38 PST 2008


* Tony Godshall <togo@of.net> [2008-02-14 09:55-0800]
>Hi.
>
>Could we clear something up?
>
>I've always heard tarpitting as attempting to slow down a attacker
>connections as much as possible by stringing along their TCP
>connections for as long as possible.  Specifically, I've seen it done
>against spammers (or spammerbots) since it reduces spam to oneself and
>keeps them (at least the single-threaded ones, I guess) from moving on
>to the next victim.  I.e. as long as possible[1]
>
>It sounds, though, that you are wanting something different, which I
>would call adaptive metering, i.e. slowing down the connections of IP
>addresses that are causing too much traffic so that they are no longer
>harmful.  Drop enough packets and the backoff kicks in[2] and their
>traffic rate drops to "acceptable" levels.

We basically want to slow them down enough that they notice
something's wrong and investigate. We thought serving them HTTP
503 responses would accomplish that but it hasn't yet.

>By the way, there's really nothing unusual about having large amounts
>of traffic coming from a single IP- many large organizations hide huge
>numbers of machines behind a single IP.  Of course, they ought to be
>running a transparent cache at their NAT point so repeats to the same
>URL are cut way way back.  Presumably these organizations are not lost
>causes and could be "taught".  And it sounds like you don't want to
>disconnect them, just limit their harm.

That's part of the problem with our existing approach of blocking
abusive IPs from our entire site for 24 hours: others on the same
large corporate network become unable to get their work done just
because one of the other thousand people coming through the same
IP was running misconfigured software.

We did it that way to try to draw more attention to the problem
but it has turned out to be a PITA in practice. I'm hoping that
tarpitting DTD requests specifically will be more likely to be
noticed by those running the apps making the requests, while
having less impact on innocent bystanders on the same network.

-- 
Gerald Oskoboiny <gerald@impressive.net>
http://impressive.net/people/gerald/



More information about the linux-elitists mailing list