I keep seeing 'Joe Average compromised computer on broadband' being used to do email dictionary attacks on our systems. Seems I always have several domains going through these. One in particular has been in the 'a-' list for weeks with about 20,000 attempts per day from various systems. Yeah, I do have a system which blocks email from these systems for a period of time after 3 bad email address attempts.... throttling...
Anyway, this brought to mind.... Joe Average! Joe Average buys a broadband connection, has someone hook up his computer.. talks to tech support about everything and eventually, an AV subscription dies or something and Joe just doesn't care or doesn't know how to deal with that. Meanwhile Joe's computer gets a virus allowing some baddy to start sending email. Joe notices his computer is getting a little slow.. but it's not bad enough to worry about.
So, this made me start wondering about how to do something that makes Joe's computer so slow that he finally gives up and calls in tech support to fix the damned thing.
I wonder if there is a way that a firewall rule could be written, that would let a trickle of the connection from Joe through, so as his dictionary attack gets backed up with a huge number of connections which are trickling through at such a slow rate, with maybe just enough delay built in to make it keep trying.... Basically making Joe's compromised computer useless.. and maybe he'd at least turn it off if it didn't lock up all by itself....
It is so very sad that some providers don't monitor their own people. I see where comcast has now slid down to number 8 after holding the number one spot as the biggest spammer network for a very long time. Good for them! It seems the undisputed king of this world now is verizonbusiness.com.... bad bad very bad....
Sorry.. yeah.. a bit off topic......
John Hinton
On Wed, 2006-08-16 at 05:49 -0400, John Hinton wrote:
I keep seeing 'Joe Average compromised computer on broadband' being used to do email dictionary attacks on our systems. Seems I always have several domains going through these. One in particular has been in the 'a-' list for weeks with about 20,000 attempts per day from various systems. Yeah, I do have a system which blocks email from these systems for a period of time after 3 bad email address attempts.... throttling...
Anyway, this brought to mind.... Joe Average! Joe Average buys a broadband connection, has someone hook up his computer.. talks to tech support about everything and eventually, an AV subscription dies or something and Joe just doesn't care or doesn't know how to deal with that. Meanwhile Joe's computer gets a virus allowing some baddy to start sending email. Joe notices his computer is getting a little slow.. but it's not bad enough to worry about.
So, this made me start wondering about how to do something that makes Joe's computer so slow that he finally gives up and calls in tech support to fix the damned thing.
I wonder if there is a way that a firewall rule could be written, that would let a trickle of the connection from Joe through, so as his dictionary attack gets backed up with a huge number of connections which are trickling through at such a slow rate, with maybe just enough delay built in to make it keep trying.... Basically making Joe's compromised computer useless.. and maybe he'd at least turn it off if it didn't lock up all by itself....
It is so very sad that some providers don't monitor their own people. I see where comcast has now slid down to number 8 after holding the number one spot as the biggest spammer network for a very long time. Good for them! It seems the undisputed king of this world now is verizonbusiness.com.... bad bad very bad....
Sorry.. yeah.. a bit off topic......
John Hinton _______________________________________________
Don't be sorry, John, I'm gettin pissed bout spam myself...I am thinking about coming up w/a way to somehow forward the spam msg back to who ever is relaying it 10 fold to get their attn!
John Rose
I wonder if there is a way that a firewall rule could be written, that would let a trickle of the connection from Joe through, so as his dictionary attack gets backed up with a huge number of connections which are trickling through at such a slow rate, with maybe just enough delay built in to make it keep trying.... Basically making Joe's compromised computer useless.. and maybe he'd at least turn it off if it didn't lock up all by itself....
i knew someone once that wrote a countermeasures script that basically kept a look out for script kiddie type attacks. It was pretty good and he showed me once where he pointed a win2k box at his firewall and launched an 'attack' at which point the firewall did its thing and the win2k workstation bluescreened - was pretty funny to watch but not entirely sure about the legality of counterattacks.
On Wed, 2006-08-16 at 12:13 +0100, Tom Brown wrote:
I wonder if there is a way that a firewall rule could be written, that would let a trickle of the connection from Joe through, so as his dictionary attack gets backed up with a huge number of connections which are trickling through at such a slow rate, with maybe just enough delay built in to make it keep trying.... Basically making Joe's compromised computer useless.. and maybe he'd at least turn it off if it didn't lock up all by itself....
i knew someone once that wrote a countermeasures script that basically kept a look out for script kiddie type attacks. It was pretty good and he showed me once where he pointed a win2k box at his firewall and launched an 'attack' at which point the firewall did its thing and the win2k workstation bluescreened - was pretty funny to watch but not entirely sure about the legality of counterattacks.
A very bad idea because it could be used to convert your system into an attack zombie by spoofing the source address. Your system then could be used to send attacks to .mil & .gov systems and you might end up being asked some questions by men wearing black.
Any active response is a BAD IDEA (tm)
The original idea is not quite so back since it's passive, though I don't know how practical it is. Now with XP SP 2 MS does limit the maximum number of outgoing concurrent TCP/IP connections, so it might be effective against newer systems, but totally ineffective against older OSes and unpatched XP systems.
Regards, Paul Berger
Sounds like what you want is the TeerGrubing plugin for Exim script Marc Merlin from Google wrote. it sends a SMTP 451 back to the server for 10-15 minutes, then closes the connection.
Apparently, he once held a connection open for 72 hours, then called the guys ISP, who called the FBI, and it just went downhill from there.
More information can be gleened from his page at http://marc.merlins.org/linux/exim/sa.html
Steve
rado wrote:
On Wed, 2006-08-16 at 05:49 -0400, John Hinton wrote:
I keep seeing 'Joe Average compromised computer on broadband' being used to do email dictionary attacks on our systems. Seems I always have several domains going through these. One in particular has been in the 'a-' list for weeks with about 20,000 attempts per day from various systems. Yeah, I do have a system which blocks email from these systems for a period of time after 3 bad email address attempts.... throttling...
Anyway, this brought to mind.... Joe Average! Joe Average buys a broadband connection, has someone hook up his computer.. talks to tech support about everything and eventually, an AV subscription dies or something and Joe just doesn't care or doesn't know how to deal with that. Meanwhile Joe's computer gets a virus allowing some baddy to start sending email. Joe notices his computer is getting a little slow.. but it's not bad enough to worry about.
So, this made me start wondering about how to do something that makes Joe's computer so slow that he finally gives up and calls in tech support to fix the damned thing.
I wonder if there is a way that a firewall rule could be written, that would let a trickle of the connection from Joe through, so as his dictionary attack gets backed up with a huge number of connections which are trickling through at such a slow rate, with maybe just enough delay built in to make it keep trying.... Basically making Joe's compromised computer useless.. and maybe he'd at least turn it off if it didn't lock up all by itself....
It is so very sad that some providers don't monitor their own people. I see where comcast has now slid down to number 8 after holding the number one spot as the biggest spammer network for a very long time. Good for them! It seems the undisputed king of this world now is verizonbusiness.com.... bad bad very bad....
Sorry.. yeah.. a bit off topic......
John Hinton _______________________________________________
Don't be sorry, John, I'm gettin pissed bout spam myself...I am thinking about coming up w/a way to somehow forward the spam msg back to who ever is relaying it 10 fold to get their attn!
John Rose
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Aug 16, 2006, at 9:04 AM, Steve Walsh - Nerdvana Hosting wrote:
Sounds like what you want is the TeerGrubing plugin for Exim script Marc Merlin from Google wrote. it sends a SMTP 451 back to the server for 10-15 minutes, then closes the connection.
Apparently, he once held a connection open for 72 hours, then called the guys ISP, who called the FBI, and it just went downhill from there.
More information can be gleened from his page at http:// marc.merlins.org/linux/exim/sa.html
Don't be sorry, John, I'm gettin pissed bout spam myself...I am thinking about coming up w/a way to somehow forward the spam msg back to who ever is relaying it 10 fold to get their attn! John Rose
um, no. this is a terrible idea.
this trick is only useful if the spammer is mailing directly from his box to yours, and these days, that does not seem to be how the bulk of the spam i'm getting is sent. otherwise you're just punishing someone else, a (mostly) innocent victim, and engaging it what is arguably a violation of your ISP's terms of service, since you're trying to DoS the guy relaying mail to you.
there are any number of open relay blacklists; if you're being spammed by Joe Average's zombie box, submit it to the blacklists instead.
-steve
-- If this were played upon a stage now, I could condemn it as an improbable fiction. - Fabian, Twelfth Night, III,v
Steve Huff wrote:
um, no. this is a terrible idea.
How so? He was after a way to slow John Q's box down to the point where he would get it rebuilt by a pro/friend/random guy on the corner. Most of the botnet/spammer code I've looked isn't overly complex. it's orientated to sending UBE/UCE, nothing more. Most of them leak memory live a seive, so holding a connection open will cause the box to behave poorly, therefore prompting John Q to get a rebuild
rado spake the following on 8/16/2006 3:49 AM:
On Wed, 2006-08-16 at 05:49 -0400, John Hinton wrote:
I keep seeing 'Joe Average compromised computer on broadband' being used to do email dictionary attacks on our systems. Seems I always have several domains going through these. One in particular has been in the 'a-' list for weeks with about 20,000 attempts per day from various systems. Yeah, I do have a system which blocks email from these systems for a period of time after 3 bad email address attempts.... throttling...
Anyway, this brought to mind.... Joe Average! Joe Average buys a broadband connection, has someone hook up his computer.. talks to tech support about everything and eventually, an AV subscription dies or something and Joe just doesn't care or doesn't know how to deal with that. Meanwhile Joe's computer gets a virus allowing some baddy to start sending email. Joe notices his computer is getting a little slow.. but it's not bad enough to worry about.
So, this made me start wondering about how to do something that makes Joe's computer so slow that he finally gives up and calls in tech support to fix the damned thing.
I wonder if there is a way that a firewall rule could be written, that would let a trickle of the connection from Joe through, so as his dictionary attack gets backed up with a huge number of connections which are trickling through at such a slow rate, with maybe just enough delay built in to make it keep trying.... Basically making Joe's compromised computer useless.. and maybe he'd at least turn it off if it didn't lock up all by itself....
It is so very sad that some providers don't monitor their own people. I see where comcast has now slid down to number 8 after holding the number one spot as the biggest spammer network for a very long time. Good for them! It seems the undisputed king of this world now is verizonbusiness.com.... bad bad very bad....
Sorry.. yeah.. a bit off topic......
John Hinton
Better would be a rule to forward their connection to a honeypot / tarpit box that would do what you want ... tie up their connection for a while.
Scott Silva wrote:
rado spake the following on 8/16/2006 3:49 AM:
On Wed, 2006-08-16 at 05:49 -0400, John Hinton wrote:
I keep seeing 'Joe Average compromised computer on broadband' being used to do email dictionary attacks on our systems. Seems I always have several domains going through these. One in particular has been in the 'a-' list for weeks with about 20,000 attempts per day from various systems. Yeah, I do have a system which blocks email from these systems for a period of time after 3 bad email address attempts.... throttling...
Anyway, this brought to mind.... Joe Average! Joe Average buys a broadband connection, has someone hook up his computer.. talks to tech support about everything and eventually, an AV subscription dies or something and Joe just doesn't care or doesn't know how to deal with that. Meanwhile Joe's computer gets a virus allowing some baddy to start sending email. Joe notices his computer is getting a little slow.. but it's not bad enough to worry about.
So, this made me start wondering about how to do something that makes Joe's computer so slow that he finally gives up and calls in tech support to fix the damned thing.
I wonder if there is a way that a firewall rule could be written, that would let a trickle of the connection from Joe through, so as his dictionary attack gets backed up with a huge number of connections which are trickling through at such a slow rate, with maybe just enough delay built in to make it keep trying.... Basically making Joe's compromised computer useless.. and maybe he'd at least turn it off if it didn't lock up all by itself....
It is so very sad that some providers don't monitor their own people. I see where comcast has now slid down to number 8 after holding the number one spot as the biggest spammer network for a very long time. Good for them! It seems the undisputed king of this world now is verizonbusiness.com.... bad bad very bad....
Sorry.. yeah.. a bit off topic......
John Hinton
Better would be a rule to forward their connection to a honeypot / tarpit box that would do what you want ... tie up their connection for a while.
Yeah... but even Johnny apparently gets hacked. ;)
The fear of retribution or a war is always an important consideration. It seems that no matter how big you are, someone can always overload your bandwidth. Maybe not if you're google. But even then, a mass attack from multiple networks, something I have experienced.. over 1000 machines hitting an intensive php script once per second... and a crawl develops, either due to bandwidth or serverload.
Oh, well... I like to get my log reports to see whose doing what.. it's just that these dictionary scripts through so much garbage in among the good information.. and I'm getting about 30 megs of logwatch reports per day... Not complaining about logwatch, as I know how to turn it down and things off.. They just mess up my reports, just like spam messes up an inbox.
Best, John Hinton
John Hinton wrote:
Scott Silva wrote:
rado spake the following on 8/16/2006 3:49 AM:
On Wed, 2006-08-16 at 05:49 -0400, John Hinton wrote:
I keep seeing 'Joe Average compromised computer on broadband' being used to do email dictionary attacks on our systems. Seems I always have several domains going through these. One in particular has been in the 'a-' list for weeks with about 20,000 attempts per day from various systems. Yeah, I do have a system which blocks email from these systems for a period of time after 3 bad email address attempts.... throttling...
Anyway, this brought to mind.... Joe Average! Joe Average buys a broadband connection, has someone hook up his computer.. talks to tech support about everything and eventually, an AV subscription dies or something and Joe just doesn't care or doesn't know how to deal with that. Meanwhile Joe's computer gets a virus allowing some baddy to start sending email. Joe notices his computer is getting a little slow.. but it's not bad enough to worry about.
So, this made me start wondering about how to do something that makes Joe's computer so slow that he finally gives up and calls in tech support to fix the damned thing.
I wonder if there is a way that a firewall rule could be written, that would let a trickle of the connection from Joe through, so as his dictionary attack gets backed up with a huge number of connections which are trickling through at such a slow rate, with maybe just enough delay built in to make it keep trying.... Basically making Joe's compromised computer useless.. and maybe he'd at least turn it off if it didn't lock up all by itself....
It is so very sad that some providers don't monitor their own people. I see where comcast has now slid down to number 8 after holding the number one spot as the biggest spammer network for a very long time. Good for them! It seems the undisputed king of this world now is verizonbusiness.com.... bad bad very bad....
Sorry.. yeah.. a bit off topic......
John Hinton
Better would be a rule to forward their connection to a honeypot / tarpit box that would do what you want ... tie up their connection for a while.
Yeah... but even Johnny apparently gets hacked. ;)
The fear of retribution or a war is always an important consideration. It seems that no matter how big you are, someone can always overload your bandwidth. Maybe not if you're google. But even then, a mass attack from multiple networks, something I have experienced.. over 1000 machines hitting an intensive php script once per second... and a crawl develops, either due to bandwidth or serverload.
Oh, well... I like to get my log reports to see whose doing what.. it's just that these dictionary scripts through so much garbage in among the good information.. and I'm getting about 30 megs of logwatch reports per day... Not complaining about logwatch, as I know how to turn it down and things off.. They just mess up my reports, just like spam messes up an inbox.
Yep, the start reality is that some of these blackhat botnets are pretty extensive. And if you rub them the wrong way they can take down even distributed and otherwise fault tolerant networks. I wish there was more attention paid to getting those clowns under control instead of suing teenagers for sharing music and movie files....sigh.
Cheers,
-----Original Message-----
Better would be a rule to forward their connection to a honeypot / tarpit
box that would do what
you want ... tie up their connection for a while.
You don't have to have it forward to a separate box for the tarpit to work. Tarpit rules can be placed into the firewall so that any packets from a particular host (or network) get tarpitted, while allowing everyone else's to come through to the listening daemon. You just have to give it a specific source and port. The following would tarpit port 25 (TCP) for the IP address 99.99.99.99, while allowing everyone else through to the listening SMTP daemon:
iptables -I INPUT -s 99.99.99.99 -p tcp --dport 25 -j TARPIT
So it's just a matter of adding rules per each host that causes a problem.
-- Take care, Randall
Randall Hobbs wrote:
-----Original Message-----
Better would be a rule to forward their connection to a honeypot / tarpit
box that would do what
you want ... tie up their connection for a while.
You don't have to have it forward to a separate box for the tarpit to work. Tarpit rules can be placed into the firewall so that any packets from a particular host (or network) get tarpitted, while allowing everyone else's to come through to the listening daemon. You just have to give it a specific source and port. The following would tarpit port 25 (TCP) for the IP address 99.99.99.99, while allowing everyone else through to the listening SMTP daemon:
iptables -I INPUT -s 99.99.99.99 -p tcp --dport 25 -j TARPIT
Would you please give details on a TARPIT rule?
So it's just a matter of adding rules per each host that causes a problem.
Is there a risk of self DDOS'ing ? kfx.
-
Chris Mauritz -
John Hinton -
kadafax -
Paul -
rado -
Randall Hobbs -
Scott Silva -
Steve Huff -
Steve Walsh - Nerdvana Hosting -
Tom Brown