They are very different tools.
One uses an SMTP RFC repeat clause to understand whether the attacker is using a real server, slowing burst connections and eventually adding the IP to the firewall. This is limited to port 25, and it does not work against ddos attacks, because pf is not that efficient.
The other tool works on any port, it sits in the firewall, it is process efficient, to manage ddos-like connections, and its purpose is to efficiently redirect the attacker's force back to the attacker, eventually burning the cpu of the attacker.
On Wed, Feb 13, 2019 at 05:52, Bill Cole <sausers-20150205@billmail.scconsult.com> wrote:
> On 12 Feb 2019, at 15:04, Rupert Gallagher wrote:
>
>> Ehhh.... not available on bsd with pf, or so it was the last time I
>> checked.
>
> A good 'tarpit' tool that IS available for *BSD (originating on OpenBSD)
> is 'spamd' which unfortunately shares a name with the daemon aspect of
> SA. There's a port for FreeBSD and pf.conf(5) documents its integration
> with pf.
>
>> Good for you as you have it! It is a fantastic piece of aikido.
>>
>> On Tue, Feb 12, 2019 at 18:19, John Hardin <jhardin@impsec.org> wrote:
>>
>>> On Tue, 12 Feb 2019, Rupert Gallagher wrote:
>>>
>>>> and we have now blocked their IP at the firewall,
>>>
>>> A suggestion: it may hurt them more if you TCP tarpit them instead of
>>> just
>>> blocking them. That's what I do.
> [...]
> --
> Bill Cole
> bill@scconsult.com or billcole@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Available For Hire: https://linkedin.com/in/billcole
One uses an SMTP RFC repeat clause to understand whether the attacker is using a real server, slowing burst connections and eventually adding the IP to the firewall. This is limited to port 25, and it does not work against ddos attacks, because pf is not that efficient.
The other tool works on any port, it sits in the firewall, it is process efficient, to manage ddos-like connections, and its purpose is to efficiently redirect the attacker's force back to the attacker, eventually burning the cpu of the attacker.
On Wed, Feb 13, 2019 at 05:52, Bill Cole <sausers-20150205@billmail.scconsult.com> wrote:
> On 12 Feb 2019, at 15:04, Rupert Gallagher wrote:
>
>> Ehhh.... not available on bsd with pf, or so it was the last time I
>> checked.
>
> A good 'tarpit' tool that IS available for *BSD (originating on OpenBSD)
> is 'spamd' which unfortunately shares a name with the daemon aspect of
> SA. There's a port for FreeBSD and pf.conf(5) documents its integration
> with pf.
>
>> Good for you as you have it! It is a fantastic piece of aikido.
>>
>> On Tue, Feb 12, 2019 at 18:19, John Hardin <jhardin@impsec.org> wrote:
>>
>>> On Tue, 12 Feb 2019, Rupert Gallagher wrote:
>>>
>>>> and we have now blocked their IP at the firewall,
>>>
>>> A suggestion: it may hurt them more if you TCP tarpit them instead of
>>> just
>>> blocking them. That's what I do.
> [...]
> --
> Bill Cole
> bill@scconsult.com or billcole@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Available For Hire: https://linkedin.com/in/billcole