[Dshield] Spamhouse now listing exploited IPs in new

Jeff Kell jeff-kell at utc.edu
Thu Jan 15 05:33:02 GMT 2004


John Hardin wrote:

> On Wed, 2004-01-14 at 14:30, Jeff Kell wrote:
> 
>>We use DNSBLs too, but the ACL approach is to deny them 
>>completely before they get started.
> 
> 
> Nah. Better to tarpit 'em. Unfortunately sendmail doesn't support doing
> that. :(

No, you ignore them with 'no ip unreachables' (Cisco-speak), so their 
end times out and requeues, eating up their time and resources.  Most 
hackers are getting tarpit-aware and using timed socket receives.  I run 
tarpits smack in the middle of two of our address blocks, and some of 
the scanners can traverse them rather quickly (or they have the threads 
to spare).  Enough of them stick to make it worth it and give me a nice 
warm feeling inside when I've got ~50,000 scanning threads hung up :-)

Jeff




More information about the list mailing list