Endlessh: An SSH Tarpit


290 points | by elliebike 4 days ago


  • xoa 4 days ago

    Are tarpits still of use these days? I sort of figured that even modern script mass attackers have gotten professionalized and sophisticated enough that they can deal with trivial timeouts and the like. I could see actual honeypots still being of use for researchers or blue teams at organizations that are real targets, and ML might even open up some interesting new ways to make those more engaging for longer. But a tarpit doesn't seem like it'd cause bother for drive-by or APT, the former are all about volume so if something takes more than a few seconds just skip it (and maybe flag it as a tarpit for punishment) and an APT will instantly recognize it too.

    For individuals and smaller orgs I've sort of felt like keeping your head down, running a wg/ssh bastion with a non-standard port maybe along with single packet auth or even plain old port knocking to reduce log spam from random drive-by is more effective and attainable for places without any sort of dedicated security or even constant in-house IT staff. Running a tarpit on a VPS seems like it'd fail to bother most these days, and running it on an actual IP seems like at best it'd have no effect and at worst if it ever actually held up a scanner and the operator noticed they might decide to direct some actual attention to that IP, or at least throw a mild ddos at it for a bit. Am I wrong or out of date on that? I'm all for sticking it to bad actors and efforts to reduce the economic incentives, but in 2020 tarpits strike me as kind of obsolete with some risk to boot.

    • belorn 4 days ago

      For individuals and smaller orgs the easiest and by experience the best practice is to use a certificate (or generated and never to be reused password) for ssh authentication, install server monitoring, and then simply observe if the spam from random drive-by causes enough resource drain that would validate further work. Most likely it won't.

      Running a tar pit is a bit like installing a trap on a bike in order to teach bike thieves a lesson. It won't really reduce the problem, but for a lot of people the idea of vengeance gives a bit of a warm happy feeling.

      • toyg 4 days ago

        > Running a tar pit is a bit like installing a trap on a bike in order to teach bike thieves a lesson.

        It's more like approaching a thief and persuading him to steal some bike "just around the corner", then guiding him around endlessly. While he's following you, he's also not stealing anything from anyone, his attention (which is naturally finite) gets drained - even just a little bit - to the benefit of the community as a whole. It's not necessarily about vengeance.

        • kebman 4 days ago

          Tangent story. Two friends of mine went backpacking to Amsterdam, short pants and all. When they got out of the train in the evening, a friendly guy approached them and asked if they were looking for a hotel. They said yes, so he told them to follow him. Delighted to be greeted in this way, they did.

          First they went down the regular path up Damrak to get to Leidseplein, but slowly and imperceptibly the streets were getting narrower and narrower, until they finally reached a dead end. That's when the guy whirled around, flipped out a small pocket knife and wheezed to them, "Gimme all your cash! NOW!"

          The guys looked at each other, and then looked at him, and then one of the guys calmly told him, "Look, we're two guys, and you're just one. Even if you get one of us, the other will beat your head in. You can't win this."

          The mugger looked puzzled for a moment, but then he retorted, "Ok, give me half your money then, and nobody gets hurt!" Not wanting to be the first guy who got stabbed, they agreed that, "Fine, we'll give you half! But only if you promise to not stab us." And so the deal went down, and they had finally arrived in Amsterdam.

          • graton 3 days ago

            Makes me think of one of my personal rules when traveling. If I am needing help, I don't take it from someone who approaches me. I just say, no thank you. If I need help, I pick someone randomly and ask for help. The likelihood that they are a criminal is much less compared to someone who approaches me.

            • Symbiote 3 days ago

              This is also good advice for children.

              If you need help, ask, don't wait to be asked.

            • jjeaff 4 days ago

              People will approach tourists a lot like this in central and south america, but the end game tends to be to take the tourist to an inn or restaurant where they get a commission for taking them.

              I've never gone with anyone anywhere but very public spaces. But I actually have found some real gems tucked away off the beaten path this way.

              • milesvp 3 days ago

                A friend and I took a day trip to Morocco many years ago while backpacking through Spain and experienced this. A local guide approached us who came across as pretty legit and had a driver. We had a good time being shown around to different stores and it was pretty clear that he was getting a kickback from the places we went. Had some nice mint tea, and a pretty good meal later.

                There was a slightly dark time in the middle though, where my friend and I were sure we were going to be mugged and left for dead when we were driving further and further from the city. I've never experienced anything quite like it before or since. We both looked at each other, and in an instant with a single expression we were both able to convey that "I love you and we're going to die". We were totally relieved when it turned out they just wanted to show a scenic view by the sea, while showing us a lot of very rich mansions along the way.

                Was totally surreal, though, and I'm not sure how lucky we were.

                • toyg 3 days ago

                  Morocco has a very mean and torture-happy secret police, and tourists are one of their main sources of income, so it’s very unlikely that anything particularly bad will ever happen to you, the risk for perps is too high. Cash, though... I was basically extorted by some guys with aggressive monkeys in the middle of Marrakech.

                  • teddyh 21 hours ago

                    > Morocco has a very mean and torture-happy secret police, and tourists are one of their main sources of income

                    I initially interpreted that sentence differently than how you probably intended it.

                  • kebman 3 days ago

                    Danish Louisa Vesterager Jespersen (24) and Norwegian Maren Ueland (28) were killed and decapitated by ISIS terrorists on a trip to Morocco in 2018. They were found near the Atlas mountains. The murders were filmed and put on the internet. 18 men were since arrested by Moroccan police and charged with terrorism.[1]

                    [1]: https://en.wikipedia.org/wiki/Murders_of_Louisa_Vesterager_J...

                    • kebman 3 days ago

                      Somehow factual information like that is always downvoted, but criminal and terrorist activity is important information when considering where you want to travel in the world, so you should take it very seriously.

                      Case in point, I travelled with my friends through Serbia during the early 2000's. Now, we'd spoken with our country's foreign ministry, and they told us that it was relatively safe to travel in the North of the country. At the time, we were adviced to avoid the South of Serbia because of small gang clashes still being ongoing. We avoided Romania as well, since a lot of car jackings had been reported at the time.

                      After driving for a very long time, we got tired, and parked at a forest road in the darkness. It was pitch black, so we figured no one would come there. But after a while, I heard a car stop down at the main road, and two guys moving closer to our car on the gravel. This prompted me to reach for a small screw driver I had laying around, just in case.

                      When they arrived at the car, they knocked on my window, and peering to the darkness I noticed that they were actually police officers. They wanted to know what we were doing there, so I explained to them that we were just trying to get some sleep for the night.

                      Then they asked me, "Did you see the boarded-up gas station further up the road?" I nodded, and he continued. "Yeah, well, last week a gang came by there and shot the whole family dead, mother, father and two kids. That's why the place is boarded up. Listen, guys, this place isn't safe. So please come with us, and we'll show you a lit parking lot in the nearest town. You can sleep safely there, under the lights."

                      Needless to say, we accepted their escort, although it was far more easy to sleep in the darkness rather than under a street light.

                      Then there's the story of my boss who ignored advice to not go to Egypt during some troubled times, and ended up in a firefight as the bus in front of him was lit up by a hail bullets. He thought he was going to die, and he very well could have if he'd gone with the front bus.

                  • ropable 3 days ago

                    Spouse and I got hooked like this when we visited Beijing some years ago. We could actually tell what was going on, but our "guide" was a friendly university-aged girl who (at our request) took us to a couple of local art galleries and a wonderful restaurant. She may have gotten a commission and definitely a good meal out of it, but we actually had a fine experience.

                    • rurban 3 days ago

                      So you are saying rand16() needs to be replaced with an extract from some PD world literary piece, then the attacker will be fine. Call me sceptical.

                  • jschwartzi 4 days ago

                    Lol someone approached me like that in Amsterdam too and offered to guide me somewhere. I figured that this was his plan so I told him I was okay and that I didn’t need his help.

                    • car 3 days ago

                      Tangent on tangent. An aquaintance visited Morroco, and was befriended by a young local, his guide for two weeks. On the last day, he bought a $3000 rug from a store owner relative of the guide. Suffice it to say, said rug never shipped.

                      • tomcam 3 days ago


                        Wouldn't end that way with me and my friends.

                      • venatiodecorus 4 days ago

                        well what they're saying is sure you can do this but this hypothetical bike thief isn't going to follow you very far. ime this would seem to be the case. most ssh spam is very dumb, just looking for low hanging fruit w/ default credentials, and will likely move on very quickly without success.

                        • ed25519FUUU 4 days ago

                          It sounds like you’re both trapped in this scenario.

                        • dheera 3 days ago

                          > installing a trap on a bike in order to teach bike thieves a lesson. It won't really reduce the problem

                          Maybe it is reducing the problem, but not enough people are installing traps to make a noticeable difference? Or the number of new thieves is cancelling out the number of thieves being put out of business by traps? Is there data for this?

                          Or maybe the traps just aren't sophisticated enough?

                        • LinuxBender 4 days ago

                          Yes, well, mostly just for entertainment. My sftp server acts in a weird way like a tarpit. Instead of tarpitting or blocking the bots, I create accounts for them with null passwords. I was hoping they might upload something interesting, but no... they just try to get a shell or try to forward ports to other sites, which I do not allow. Some of them have been connecting several times an hour for the past several years.

                          • narrator 4 days ago

                            When I used to run my own MX on a home server, I would have bots connect and try to send mail to <random whatever>@mydomain. They never used the same email or IP and they did it for several years straight. I tried IP blocking, but the IPChains list got so long it started slowing down my server.

                            • toxik 3 days ago

                              I had a similar issue, attempts to brute my server every minute of every day. I aggregated stats on the IP’s, basically every single one was Chinese. I blocked most of China’s IP ranges and it’s now as quite as it was in 2005.

                              • jchook 3 days ago

                                This is why folks use techniques like greylisting and why you should almost never use a catch-all mailbox.

                                Spamhaus usually stops a big chunk of them too.

                                • toxik 3 days ago

                                  Hard disagree on catch all. A catch all allows you to trace who gave your address to spammers, and then to bin all email to that address.

                                  • bbarnett 3 days ago

                                    You don't need a catch all for that, just give unique email addresses to each, and edit /etc/aliases.

                                    NOTE: a few bits of info here, although someone mentioning ipchains means their comment is from an older time of course:

                                    - use ipset for large sets of blocked IP addresses. That's what it's for, and it works well without slowdown, even on massive sets

                                    - http://www.ipdeny.com/ipblocks/data/aggregated

                                    This is a nice list of IP addresses broken down by region. Handy do download weekly, or monthly, and then dump into ipset.

                                    - firehol is also a nice list to use, eg:


                                    • jchook 2 days ago

                                      Except then spammers who send to [huge list of words]@your-domain.com all go to your inbox. It's much safer to use a regex pattern or generate forwarding emails ad hoc.

                                      Please contact me at f7m4 {at} proxyto.me if you have any interest in beta-testing an app that does this exact thing.

                                      • Yep, I've been doing this for nearly a decade. This in combination with Gmail's spam filter works just fine. I have caught quite a few emails to my parents from people who can't spell their (simple) email address.

                                  • floatingatoll 4 days ago

                                    If you rewrite those portforward destinations to your own server, do they get stuck in an endless loop?

                                  • chromaton 4 days ago

                                    I've successfully used an HTTP tarpit to cut down on registration spam. The attacks were being launched from only a handful of (presumably compromised) hosts. If I blocked them, they'd switch to a different attacking host. But I discovered if I tarpitted them, they'd be slowed down to the point where they weren't a problem any more.

                                    • jchook 3 days ago

                                      How did it work?

                                      • chromaton 3 days ago

                                        Something like:

                                          if(IP==attackerIP) {
                                            for 10000 times
                                               write random byte
                                               sleep 10 seconds
                                    • pnutjam 4 days ago

                                      Don't forget fail2ban or something similar. 2 hour lockout after 4 bad tries does wonders to discourage bots.

                                      • protomyth 4 days ago

                                        Well, if you use certificates, you can immediately ban anyone trying to do password authentication.

                                        • pnutjam 4 days ago

                                          True, but having supported an sftp server for other b2b clients to upload data, ssh keys are black magic to too many people. I can't count the hours I've spent trying to explain them, how to generate them and why you should never "show anyone your privates", just your publics.

                                          • jooize 3 days ago

                                            It would be more obvious if the private key files were named “id_ed25519.private”.

                                            Why not make it “identity.ed25519.private.sshkey” and default to “20200916{,T224400Z}.ed25519.{private,public}.sshkey”?

                                            • pnutjam 3 days ago

                                              Put in a feature request to the openssh guys. Theo can probably tell you why it's not a good idea, or why it is good idea.

                                          • dawnerd 4 days ago

                                            Just an obvious protip to test that your cert works before banning password auths. I uh, found out the hard way.

                                            • efreak 3 days ago

                                              I never had an issue with authentication. My issue was a typo in sudoers (I allowed a user to view syslog, iirc, and had a semicolon instead of a colon) that prevented me from using sudo, as only my primary user was allowed to log in via ssh. Fortunately cloud vps still has vnc login, and I actually had a root password. Now I use a root shell to edit sudoers, so I can test it before dropping root.

                                              • Symbiote 3 days ago

                                                You should use "visudo", which opens the file in the default editor, then validates it before saving.

                                                • pbhjpbhj 3 days ago

                                                  But make sure to change the default editor to something sane first. (* ducks *)


                                                  • +1 to that!

                                                    I like nano, and I'm not ashamed to admit it.

                                                  • pnutjam 3 days ago

                                                    if you edit outside of visudo, you can run visudo -cf <filename>.

                                                    example: visudo -cf /etc/sudoers visudoe -cf /etc/sudoers.d/extra

                                                • protomyth 4 days ago

                                                  Yeah, cannot say I've never done that.

                                                  Test then Ban.

                                              • I don't like it because it opens up the possibility of someone on the same network as me locking me out of my own server.

                                                Sure, it's unlikely, but I don't see what I'd be gaining using fail2ban in the first place. I don't leave password authentication enabled, of course.

                                                Log spam is a bit annoying, but at the end of the day, who cares? Even with the ongoing attempts, my authlog is like 300K uncompressed today and 60-120K per day gzipped. Whatever.

                                                If I cared about that I would prefer to just block Chinese IP ranges outright.

                                                • pnutjam 3 days ago

                                                  If your passing through a NAT, you can whitelist your own IP.

                                                  something like: fail2ban-client set addignoreip x.x.x.x or fail2ban-client set addignoreregex hostname.com

                                                  • Sure. But why? We're talking about 1MB to keep a week's worth of logs. It's just not worth even a minor hassle, or the most remote possibility of failure.

                                                    • pnutjam 2 days ago

                                                      It's not about logs, it's about defense layers.

                                              • jdc 4 days ago

                                                Depends on your threat model and how playful you are.

                                                • spc476 3 days ago

                                                  About 15 years ago, I ran a tarpit at my then current job (small ISP for commercial clients and web hosting) that tarpitted all TCP traffic on unused IP blocks. It did slow down network scans and had I gotten around to it, I could have probably set up some way of automatically blocking the IP addresses hitting the tarpit (as no legitimate traffic should hit it).

                                                  • pbhjpbhj 3 days ago

                                                    fail2ban would be the go to solution for blocking IP address used in failed port access attempts.

                                                  • kachnuv_ocasek 4 days ago

                                                    > if something takes more than a few seconds just skip it (and maybe flag it as a tarpit for punishment)

                                                    Good. Isn't that the point? Also, I like your use of the word punishment as something negative in this context.

                                                    • cornstalks 4 days ago

                                                      > I like your use of the word punishment as something negative in this context.

                                                      Some people decide to launch a DDOS attack or something like that in retaliation. It doesn't always happen, but there have been instances of an attacker being thwarted and then trying to punish the victim (who successfully defended themself) in some other way.

                                                      • xoa 4 days ago

                                                        Yeah, this is what I had in mind. Right now the economics there seem in favor of attackers since botnet resources for low level DDOS are plentiful. While major players have plenty of measures for mitigation, for a residential/SOHO/SMB/smaller NPO even a very cheap DDOS or actual more focused (but still automated) hunt for vulnerabilities and unpatched targets might cause real trouble. Economics works both ways unfortunately, efforts like tarpits in principle aim to make mass scans more expensive and troublesome reducing the incentives. But attackers in turn can work to make it more expensive and troublesome to run tarpits or the like, and certainly have incentive to see them not spread. So who has the best multipliers and resources?

                                                        If "we" (both the overall world community and subsections) were able significantly reduce the resources available to attackers for DDOS making vengeance/example setting more expensive that'd help. But it seems like it's going the other way if anything :(

                                                  • DarkWiiPlayer 4 days ago

                                                    Reminds me of the dungeon I built for web crawlers to have fun collecting email addresses at https://darkwiiplayer.com/bot-dungeon xD

                                                    • rootlocus 4 days ago

                                                      Do you have any statistics?

                                                      What's the deepest level any bot has gotten?

                                                      • DarkWiiPlayer 2 days ago

                                                        > Do you have any statistics?

                                                        Not really, no. If I ever rebuild my website, I will probably add some stats though :D

                                                      • time0ut 4 days ago

                                                        I'm curious what your traffic looks like. Do you have any stats on how long clients spend traversing your dungeon? Which look like crawlers? Do they identify themselves and how so? It'd be awesome to have a stats page!

                                                        • gerdesj 4 days ago

                                                          Typo: "yow far will YOU get?"


                                                          • jk563 4 days ago

                                                            Does it only go to level 100?

                                                          • codeulike 4 days ago

                                                            haha I gave up at level 13

                                                          • tptacek 4 days ago

                                                            I'm sure this was fun to put together and it seems like it's fun for people to talk about, but you can put this along with fail2ban, port knocking, and nonstandard SSH ports in the back of the attic and just (1) turn off password authentication entirely and (2) put SSH behind WireGuard. Even if you don't do step (2), step (1) eliminates the rationale for all the silly stuff people do to obfuscate their SSH installs.

                                                            • teddyh 21 hours ago

                                                              I you put it behind WireGuard, why use SSH? Why not simply use telnet instead? And use FTP for file transfers.

                                                              • Drdrdrq 3 days ago

                                                                Could you elaborate on WireGuard part? Do you mean that users must first VPN, and only then can SSH, or something else?

                                                                • tptacek 3 days ago

                                                                  Yes. This is how SSH access to prod works in most large companies: you have to be behind the VPN to get it.

                                                                  • pvg 3 days ago

                                                                    You know this but I'm just throwing it in for people who don't and aren't working on large company things:

                                                                    You can give yourself a WireGuard-powered, Single Sign-on, secure overlay network between, say, your phone, your laptop, a DO droplet and an AWS instance near-instantly and for (currently) free with tailscale.

                                                                    By 'near-instantly' I mean it takes almost no effort to set up. It takes me longer to get my dotfiles right on a new host.

                                                                    • tptacek 3 days ago

                                                                      It is disgusting how good Tailscale is. I mean that I am literally welling up with disgust thinking about it.

                                                              • Lex-2008 4 days ago

                                                                discussion of a blog post about this tool: https://news.ycombinator.com/item?id=19465967

                                                                • nickcw 4 days ago

                                                                  Great idea!

                                                                  I'm not sure we should be writing new network connected daemons in C though.

                                                                  • klodolph 4 days ago

                                                                    > I'm not sure we should be writing new network connected daemons in C though.

                                                                    In general, yes. However, in this case--no, that's not helpful advice--because this program doesn't actually receive input from clients! Kind of hard to trigger exploitable behavior on a program that only sends output.

                                                                    • codeulike 4 days ago

                                                                      Kind of hard to trigger exploitable behavior on a program that only sends output.

                                                                      It wouldn't suprise me to find there were still possible exploits

                                                                      • fb03 4 days ago

                                                                        Explaining, since you were downvoted without a proper reason:

                                                                        While everything is possible, most exploits happen on buffer overflows on user-received custom data. and since this is not allocating any buffer to receive anything (besides internal connection structures that are filled by the OS), the attack/exploit surface on this one is really tiny, if existent at all.

                                                                        • ravi-delia 4 days ago

                                                                          Crucially, endlessh has a smaller codebase than some shell scripts I've written. If you have ever used any program written with even a single line of Python, you have more to worry about than a 843 line program that appends a string to a socket.

                                                                      • kmbfjr 4 days ago

                                                                        Your concern is well founded, but what are you going to use that doesn't end up touching libraries written in...C?

                                                                        We're a long way from "Smashing the Stack", people are aware of mitigation and the care that needs to be taken, precautions have been made inside operating systems and compilers.

                                                                      • young_unixer 3 days ago

                                                                        Until there's a better alternative to C at its level of performance, people will keep using C.

                                                                      • geocrasher 3 days ago

                                                                        I have to admit that I tried this and it was rather lackluster. Log output:


                                                                        Not a lot of activity over the time I ran it, and I know that the port gets hit more than that. I had a much better time when I ran a honeypot with Kippo:


                                                                        It was much more useful as it gave me a great list of IP's to block from all my systems ;)

                                                                      • k33n 4 days ago

                                                                        The tarpit approach is a double-edged sword. Sure, you're keeping some script kiddie's machine locked up (maybe), but you're also keeping socket connections open and wasting resources on the machine they are targeting. A much more efficient approach is using fail2ban and a firewall to just drop traffic from offenders.

                                                                        • mtlynch 4 days ago

                                                                          Tarpits aren't really a defense mechanism. They're meant to waste attackers' time and study their techniques, making attacks more expensive.

                                                                          It's sort of like those YouTube channels where they waste phone scammers' time in an entertaining way. [0] Obviously, the easiest thing for the callee to do is hang up the phone, but their goal is to make phone scams less profitable.

                                                                          [0] https://en.wikipedia.org/wiki/Jim_Browning_(YouTuber)

                                                                        • spc476 3 days ago

                                                                          Depends upon how you are doing the tarpitting. Back when I did this (15 years ago) I used a program that created a raw socket to handle all TCP traffic that just responded with 0-byte sized windows to all TCP packets (so overhead was minimal). I placed this software on a dedicated server (an old box that wasn't being used otherwise) and routed all our unused IP space to this system. It could keep thousands of connections "live" with minimal resources.

                                                                          • prussian 4 days ago

                                                                            You could also do a combined approach with the tarpit + fail2ban parser that could just ban people stuck for longer than x amount of seconds.

                                                                            • golem14 4 days ago

                                                                              In my experience, fail2ban does only help if there is a small number of IP addresses requests come from. I usually observed a trickle of requests from huge number of IP addresses, at most 1-2 request from each IP over the course of days.

                                                                              tarpit will likely hurt yourself as the system ties up sockets for a long time and you'll run out eventually. You'd have to combine the tarpit with something to limit the number of connections you accept.

                                                                              IMO, setting up ssh on another port has been useful, especially combined with port knocking. And of course turning off password auth.

                                                                          • Freaky 3 days ago

                                                                            One I made in async Rust: https://github.com/Freaky/tarssh

                                                                            I currently have 22 clients stuck it in across three machines. When I started out it was more like a thousand, so seems they've largely adapted.

                                                                            • dclaw 3 days ago

                                                                              Hah, I love endlessh.... been running it for a few years now on one of my digital ocean droplets. Better to fuck with these bots. My personal record was somewhere around 23 days having one stuck.

                                                                              • password4321 3 days ago

                                                                                One of the simplest ways to block unwanted connections is to filter on client id. I haven't seen anyone willing to change it even though I've blocked libssh, sshgo, and paprika.

                                                                                Of course, this functionality is only available in non-standard SSH servers such as the one from Bitvise.

                                                                                • nirui 3 days ago

                                                                                  What got my inspired here is, if a simple delay strategy can make attack harder, why not add this as a common feature in SSH?

                                                                                  It can be called "Initial Connection Delay": Once a new TCP connection is established, wait for an uncertain number of n seconds before read and respond to the handshake request.

                                                                                  • verroq 4 days ago

                                                                                    This would have been fun to put onto production machines. We had a botnet that was running ssh bruteforce with 10s requests per second with unique IPs. It stopped after we disabled password auth.

                                                                                    • creeble 4 days ago

                                                                                      Wait, I think I'm an idiot - does disabling password auth entirely prevent openssh from generating a password prompt?

                                                                                      • VWWHFSfQ 4 days ago


                                                                                        • creeble 4 days ago

                                                                                          Whoops, silly me / more coffee needed. All my servers have:

                                                                                            PasswordAuthentication no
                                                                                            ChallengeResponseAuthentication no
                                                                                          so sshd never generates a password prompt.

                                                                                          They all run on a non-standard port, and it's somewhat rare to see more than one unique IP address connection attempt, but every few days you see a few hundred in sequence from a script too dumb to notice.

                                                                                    • earthboundkid 3 days ago
                                                                                      • ryankrage77 3 days ago

                                                                                        This seems like it would use a lot of bandwidth?

                                                                                        • earthboundkid 2 days ago

                                                                                          Oh, it’s a terrible idea. It’s basically a practical joke.

                                                                                      • clon 4 days ago

                                                                                        This is like a self-administered "slow lori attack" then - making it easier for an attacker to keep connections up until things start getting tight on port 443.

                                                                                        • heavenlyblue 4 days ago

                                                                                          I can imagine this is so easily overcome by the attacker. Why would they even need machines that take 10 seconds to return a single line over SSH?

                                                                                          • ivanbakel 4 days ago

                                                                                            Tarpits trap dumb animals. An intelligent attacker won't fall for it, but they aren't meant to.

                                                                                        • seqizz 4 days ago

                                                                                          I'd rather have a trusted common list of known abusers' IPs. But I think that's harder to maintain.

                                                                                          • mortehu 4 days ago

                                                                                            That's called a DNSBL, and there are many of them, mostly for email spam though.


                                                                                            • geocrasher 3 days ago

                                                                                              What I find infuriating is when an admin gets the bright idea to block all connections from IP's that are in mail dnsbl's. It's a great way to alienate people from using your services. I can't remember which company was doing it, but a customers API calls to a vendor failed because the vendor blocked the IP, which was blacklisted somewhere.

                                                                                              Here's the kicker: The server wasn't even used to send mail and hadn't been for a long time. So we had to apply for a delisting from a mail blacklist for a server that didn't send mail so that a customer could use an API.

                                                                                              The admin thought they were being clever, but instead they were just being difficult.

                                                                                            • beatrobot 4 days ago