> The approach of tarpitting is to slow down the attacker without impacting
> your network or requiring additional resources on your end to deal with
> the cracker.

That is the ideal.  The ideal is unachievable.

> I *think* it does this by analyzing the volume of incoming
> SMTP requests from the same host.

I do not know if it does it this way or not but if it does then
it can be circumvented.  Instead of trying usernames at one domain
then moving onto the next you pick a very large number of domains and try
the same username at each of them before moving on to the next username.
If you have multiple machines under your control (most viruses these
days install remote-control backdoors) then you can get away with
fewer domains.

> I think its entirely appropriate to respond VERY slowly to an unknown
> username request.  HOWEVER, if I suddenly have a shortage of SMTPD daemons
> because they are left open to service the "chkuser tarpit", and that hurts
> my email service quality, then I haven't gained anything.  I would rather
> be fast at dumping chkuser denials and let them guess.

Precisely.  The problem with tarpits is that unless they block IP
addresses with a large volume of authentication failures they can be
turned into denial of service attacks very easily, but if they work
that way then they cannot be effective against distributed attacks.
And if you make them effective against distributed attacks by temporarily
disabling mail connections for a domain then the tarpit can still be
used as a DoS attack against that domain.

Paul Allen
Softflare Support

Reply via email to