Chris Mann on Mon, 9 Jun 2003 12:18:17 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: Fwd: [PLUG] 70% something on 'net connection due to tarpits?


Here is George's response back to the list. Hope this helps!



>>> George Rapp 06/09/03 12:15PM >>>
Yes, our bandwidth utilization, as measured by our ISP, dropped about
70% after installing a tarpit. In our case, we had a full class C IP
address range of which we were only using about 1/4 of the addresses.
The tarpit is very good at tying up the atacking computers on the first
ip address they connect to. Typically, a hacker will launch one or more
computers to pseudorandomly scan the entire IP address space. The
attacking computer that hits our address space covered by the tarpit
comes to a dead halt. It is then tied up from continuing on through our
address space, or signalling another hacker computer to start
reconisance on our address. Specifically, during the SQL Slammer peak
activity, we had about 15,000 tarpitted connections. The tarpit was
consuming about 200 bytes/sec to hold all of those machines connections
open. Just think about how much bandwidth 15,000 computers would consume
if they were actually active on our real machines! The amount of saved
bandwidth is a direct function of the number of attacking machines and
the number of unused IP addresses on your subnet. 

>>> Chris Mann 6/9/2003 11:31:50 AM >>>
This just hit the plug list - care to field this one? :)


>>> kaze@voicenet.com 06/09/03 11:20AM >>>
Something Chris Mann's boss said during the last presentation is
intriguing
me. It was due to either tarpits or honeypots, tarpits I think. He said
they
regained 70% or their bandwidth, or their bandwidth use dropped 70% due
to
this. Sounds great to me, but why does this happen? The connections
are
mostly still there. It's not like the crackers were getting in and
then
moving huge files on and off the servers. Is it just the overhead of
establishing and breaking down all those sessions which made such a
difference? What's the downside to running these
proactive-anti-cracking
programs?

_________________________________________________________________________
Philadelphia Linux Users Group        --      
http://www.phillylinux.org 
Announcements -
http://lists.netisland.net/mailman/listinfo/plug-announce 
General Discussion  --  
http://lists.netisland.net/mailman/listinfo/plug
_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug