[Asrg] Tarpitting
grenville armitage
garmitage at swin.edu.au
Wed Aug 6 15:47:52 PDT 2008
Alessandro Vesely wrote:
[..]
> And what about filtering blacklisted IPs at the firewall level, i.e.
> blocking (reject, drop, or tarpit) their syn requests? Is it better than
> letting spammers consume our mailer daemon resources?
Perhaps a little tangential, but back in 2006/2007 I had a student
implement a scheme for randomised reject/drop of inbound SYN based on
blacklists (http://caia.swin.edu.au/stockade/). A cute (although not
yet proven useful) aspect of our system was that we did the reject/drop
of TCP SYN from origin Y with a certain probability X that faded over time T.
Time T was measured from the last time we 'saw spam' from origin Y. This
amounted to an auto-rehabilitation of blacklisted origins, so that false
positives for 'saw spam' wouldn't have negative impact for more than
<some configurable number> of minutes. (I'm not sure if our software's ever
been used elsewhere, however.)
cheers,
gja
More information about the Asrg
mailing list