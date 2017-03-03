Hacker News new | comments | show | ask | jobs | submit login
Forcing the password gropers through a smaller hole with OpenBSD's PF queues (bsdly.blogspot.com)
70 points by bootload 10 months ago | hide | past | web | favorite | 22 comments



I used to do something similar for porn-site visitors when I worked at a school. Discipline was not well-enforced, I had zero authority as the IT guy, and when I blocked a porn-site in the proxy, they all moved to another one within minutes (it's not as though the Internet was going to run out of them anytime).

Solution was to make a squid queue with about 1KB/sec bandwidth, and dump the most-visited porn websites into that queue. Sure, you'll get your smut, after about 10 minutes per pic download time. This worked far better - it was a bit like shadow-banning the website, in that they wouldn't be notified it was blocked, it just would be (to all intents and purposes). AFAIK, they never figured it out.


Yes; they figure "internet is slow" and assume that it won't be any better if they go to a different site.


I'm not sure if I understand. If they are operating through proxies, shouldn't the network admin be unable to MiTM them without a client-side cert? So, banning a list of websites should not work. What am I missing?


It sounds like OP is actually the one in control of the proxy (think enterprise-grade ones rather than proxy sites like hidemyass.com).

Even if that weren't true, one could always just throttle the proxy as if it were a porn site.


Yellowapple is correct, it was my proxy which funneled all web traffic out to the Internet.


There are a lot of systems that can follow this style of approach to dealing with the baddies. Bear in mind our gear these days have huge amounts of RAM and a fair bit of CPU. We have kernel based firewalls that can handle utterly huge tables and highly sophisticated queueing mechanisms. Heading into userspace we have mailer daemons a plenty, Squid, HA Proxy and the like, all of which can be used in this way.

For example if you enter three bad usernames into a certain Exchange OWA I manage, then HAProxy sends you off to a fake login page and I hoover the data. If you enter a legitimate username but multiple incorrect passwords then the same thing happens. The fake login page runs rather slowly but not too slow. IPs that fail are fed to the firewall. I maintain a whitelist of IPs for users that have a static IP at home. If a legitimate user falls foul of that lot, they are reminded about VPNs.

Funnily enough simply ratcheting up your TLS to 1.2 minimum fixes an awful lot of cracking attempts. Older unpatched systems simply can't even connect, let alone try to login. Sadly this wont be an option for many orgs (someone will insist on owning some wanky old thing and be too stingy to upgrade it and have enough clout in the firm to foil you) but as I happen to own mine I get to lay down the law 8)


I use pam_shield for something somewhat similar on Linux boxes. It's a more direct approach than something like fail2ban. Just null routing the offending IP addresses though. I suppose traffic shaping would do more to help others by keeping the bot occupied. Maybe I need to look into how /sbin/tc works.


This limiting approach is new to me. Why not just drop current and block future connections?


It looks to me like the equivalent of keeping telemarketers on the phone in an inane conversation instead of immediately hanging up on them. The latter just frees them up to call the next victim.


To do that better, what you do is route the password cracking attempts to some honeypot box. By this I mean that you set up common accounts with easily guessed passwords. But all of these lead to some dedicated machine where you're in a pseudo-shell that won't let you do a damned thing.


In that case I'm not sure if it works. I fully expect the spammers to have the software to deal with similar behavior. In contrast with telemarketers the computers multitask pretty well.


there is still an upper limit to the number of TCP connections an IP can open.

sadly this does remind me of that photo of a Darth Vader with a Brita water filter in a large body of water.

you're not really going to have an impact, but you are doing something


Just in case you're really lazy: https://www.google.com/search?q=Darth+Vader+with+a+Brita+wat...


I spent some time providing huge tarpits to SPAMmers also (I get about 10k SPAM delivery attempts per day on my small SMTP server), but in the end I've had to spend my time on other things...


Interesting read from a great author, I can highly recommend his Book of PF if anyone is interested in knowing more.


I just whitelist my ip ranges, and anything else gets dumped into a honeypot (using ipset lists).


More cynically, just block everything from China and you've covered 95% of the attacks (based on the stats reported in the article).


China, Russia, Eastern Europe,South America.


https://securitytoday.com/articles/2017/03/03/top-5-countrie...

The United States is the #2 top source of cyber attacks, accounting for about 10% of all malicious traffic in the world and with 17.12% of cyber attacks initiated from there.

What you need to look at is how much of the traffic that hits your servers specifically is malicious relative to the amount of traffic that is bringing you revenue. Then you decide what countries to block.


Interesting read, thanks for posting!


Did I break HN post regulations for this comment? (Just trying to figure out why I had 5 down votes in the interest of not breaking it again if I did).


Your comment looks pretty innocuous to me. Only thing I can think of is that it doesn't add much to the conversation. Members may have downvoted for lack of substance. Adding reasons you found it interesting, pointing out things in particular would make a good contribution to the discussion. It's speculation, but I hope it helps.




