
Forcing the password gropers through a smaller hole with OpenBSD's PF queues - bootload
http://bsdly.blogspot.com/2017/04/forcing-password-gropers-through.html
======
m0nty
I used to do something similar for porn-site visitors when I worked at a
school. Discipline was not well-enforced, I had zero authority as the IT guy,
and when I blocked a porn-site in the proxy, they all moved to another one
within minutes (it's not as though the Internet was going to run out of them
anytime).

Solution was to make a squid queue with about 1KB/sec bandwidth, and dump the
most-visited porn websites into that queue. Sure, you'll get your smut, after
about 10 minutes per pic download time. This worked far better - it was a bit
like shadow-banning the website, in that they wouldn't be notified it was
blocked, it just would be (to all intents and purposes). AFAIK, they never
figured it out.

~~~
narrowrail
I'm not sure if I understand. If they are operating through proxies, shouldn't
the network admin be unable to MiTM them without a client-side cert? So,
banning a list of websites should not work. What am I missing?

~~~
yellowapple
It sounds like OP is actually the one in control of the proxy (think
enterprise-grade ones rather than proxy sites like hidemyass.com).

Even if that weren't true, one could always just throttle the proxy as if it
were a porn site.

------
gerdesj
There are a _lot_ of systems that can follow this style of approach to dealing
with the baddies. Bear in mind our gear these days have huge amounts of RAM
and a fair bit of CPU. We have kernel based firewalls that can handle utterly
huge tables and highly sophisticated queueing mechanisms. Heading into
userspace we have mailer daemons a plenty, Squid, HA Proxy and the like, all
of which can be used in this way.

For example if you enter three bad usernames into a certain Exchange OWA I
manage, then HAProxy sends you off to a fake login page and I hoover the data.
If you enter a legitimate username but multiple incorrect passwords then the
same thing happens. The fake login page runs rather slowly but not too slow.
IPs that fail are fed to the firewall. I maintain a whitelist of IPs for users
that have a static IP at home. If a legitimate user falls foul of that lot,
they are reminded about VPNs.

Funnily enough simply ratcheting up your TLS to 1.2 minimum fixes an awful lot
of cracking attempts. Older unpatched systems simply can't even connect, let
alone try to login. Sadly this wont be an option for many orgs (someone will
insist on owning some wanky old thing and be too stingy to upgrade it and have
enough clout in the firm to foil you) but as I happen to own mine I get to lay
down the law 8)

------
tyingq
I use pam_shield for something somewhat similar on Linux boxes. It's a more
direct approach than something like fail2ban. Just null routing the offending
IP addresses though. I suppose traffic shaping would do more to help others by
keeping the bot occupied. Maybe I need to look into how /sbin/tc works.

------
tener
This limiting approach is new to me. Why not just drop current and block
future connections?

~~~
breckinloggins
It looks to me like the equivalent of keeping telemarketers on the phone in an
inane conversation instead of immediately hanging up on them. The latter just
frees them up to call the next victim.

~~~
tener
In that case I'm not sure if it works. I fully expect the spammers to have the
software to deal with similar behavior. In contrast with telemarketers the
computers multitask pretty well.

~~~
pyvpx
there is still an upper limit to the number of TCP connections an IP can open.

sadly this does remind me of that photo of a Darth Vader with a Brita water
filter in a large body of water.

you're not really going to have an impact, but you are doing _something_

~~~
infogulch
Just in case you're really lazy:
[https://www.google.com/search?q=Darth+Vader+with+a+Brita+wat...](https://www.google.com/search?q=Darth+Vader+with+a+Brita+water+filter+in+a+large+body+of+water&tbm=isch)

------
DamonHD
I spent some time providing huge tarpits to SPAMmers also (I get about 10k
SPAM delivery attempts per day on my small SMTP server), but in the end I've
had to spend my time on other things...

------
jf_sebastian
Interesting read from a great author, I can highly recommend his Book of PF if
anyone is interested in knowing more.

------
chaz6
I just whitelist my ip ranges, and anything else gets dumped into a honeypot
(using ipset lists).

~~~
ams6110
More cynically, just block everything from China and you've covered 95% of the
attacks (based on the stats reported in the article).

~~~
Sunset
China, Russia, Eastern Europe,South America.

~~~
eriknstr
[https://securitytoday.com/articles/2017/03/03/top-5-countrie...](https://securitytoday.com/articles/2017/03/03/top-5-countries-
where-cyber-attacks-originate.aspx)

The United States is the #2 top source of cyber attacks, accounting for about
10% of all malicious traffic in the world and with 17.12% of cyber attacks
initiated from there.

What you need to look at is how much of the traffic that hits your servers
specifically is malicious relative to the amount of traffic that is bringing
you revenue. Then you decide what countries to block.

------
mrmondo
Interesting read, thanks for posting!

~~~
mrmondo
Did I break HN post regulations for this comment? (Just trying to figure out
why I had 5 down votes in the interest of not breaking it again if I did).

~~~
grzm
Your comment looks pretty innocuous to me. Only thing I can think of is that
it doesn't add much to the conversation. Members may have downvoted for lack
of substance. Adding reasons you found it interesting, pointing out things in
particular would make a good contribution to the discussion. It's speculation,
but I hope it helps.

