[Novalug] Recommend a bacteria-sized server OS?
ryanczak at gmail.com
Sat Apr 28 07:39:48 EDT 2012
On 4/28/12 6:04 AM, William Sutton wrote:
> There was a very interesting conversation on the TriLUG IRC channel
> yesterday about tarpitting servers. According to the person evangelizing
> tarpitting, it's a BSD-developed software system.
Isn't tarpitting more of a methodology? You can tarpit almost any
service by slowing the request-response cycle. For example, not holding
TCP connections open after syn/ack with keep-alives but not sending
data. I do some basic tarpitting for bruteforce SSH login attempts. Any
host trying that against my servers gets hung up for a while in packet
loss hell because I start dropping packets to them after so many SYNs in
a given period of time. The nature of TCP forces these evil clients in
to a very long request/re-request/response cycle). SMTP is a great place
to tarpit bad actors as well. It's very easy to get clients hung up in a
helo/OK cycle forever and postfix (for example) makes implementing this
sort of behavior fairly easy. Slowlaris is kind of a tarpit in reverse
which can lead to resource exhaustion on the server (making a great DOS
attack), the concept is the same as tarpitting just applied differently.
You can do similar packet manipulation tricks with pf in the BSDs but
the concept is universal and can be applied at the application layer in
many pieces of software and protocols.
More information about the Novalug