Re: Fwd: [PLUG] 70% something on 'net connection due to tarpits?

Chris Mann on Mon, 9 Jun 2003 12:18:17 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: Fwd: [PLUG] 70% something on 'net connection due to tarpits?

From: "Chris Mann" <CMann@stonebridgebank.com>

To: <plug@lists.phillylinux.org>

Subject: Re: Fwd: [PLUG] 70% something on 'net connection due to tarpits?

Date: Mon, 09 Jun 2003 12:17:05 -0400

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

Here is George's response back to the list. Hope this helps! >>> George Rapp 06/09/03 12:15PM >>> Yes, our bandwidth utilization, as measured by our ISP, dropped about 70% after installing a tarpit. In our case, we had a full class C IP address range of which we were only using about 1/4 of the addresses. The tarpit is very good at tying up the atacking computers on the first ip address they connect to. Typically, a hacker will launch one or more computers to pseudorandomly scan the entire IP address space. The attacking computer that hits our address space covered by the tarpit comes to a dead halt. It is then tied up from continuing on through our address space, or signalling another hacker computer to start reconisance on our address. Specifically, during the SQL Slammer peak activity, we had about 15,000 tarpitted connections. The tarpit was consuming about 200 bytes/sec to hold all of those machines connections open. Just think about how much bandwidth 15,000 computers would consume if they were actually active on our real machines! The amount of saved bandwidth is a direct function of the number of attacking machines and the number of unused IP addresses on your subnet. >>> Chris Mann 6/9/2003 11:31:50 AM >>> This just hit the plug list - care to field this one? :) >>> kaze@voicenet.com 06/09/03 11:20AM >>> Something Chris Mann's boss said during the last presentation is intriguing me. It was due to either tarpits or honeypots, tarpits I think. He said they regained 70% or their bandwidth, or their bandwidth use dropped 70% due to this. Sounds great to me, but why does this happen? The connections are mostly still there. It's not like the crackers were getting in and then moving huge files on and off the servers. Is it just the overhead of establishing and breaking down all those sessions which made such a difference? What's the downside to running these proactive-anti-cracking programs? _________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug _________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

Prev by Date: [PLUG] Vaguely from /.: Dell access point runs Linux

Next by Date: Re: [PLUG] [FS] Sparc SS5-170 with over 200 MG memory

Previous by thread: Re: [PLUG] Vaguely from /.: Dell access point runs Linux

Next by thread: [PLUG] Re: An interesting concern for Verizon subscribers

Index(es):

Date

Thread