[118266] in Cypherpunks
Re: KISA Attack
daemon@ATHENA.MIT.EDU (Bill Stewart)
Thu Sep 23 05:14:16 1999
Message-Id: <3.0.5.32.19990923014807.00a0a100@idiom.com>
Date: Thu, 23 Sep 1999 01:48:07 -0700
To: Sean Roach <roach_s@mail.intplsrv.net>, cypherpunks@algebra.com
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <3.0.6.32.19990923074752.008226b0@mail.intplsrv.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Reply-To: Bill Stewart <bill.stewart@pobox.com>
At 07:47 AM 09/23/1999 -0500, Sean Roach wrote:
>>> 2. "Teergrube" (sp?) - I believe the word is German, and refers to
>>> intentionally slowing something down.
>Excuse me. This will undoubtedly show my ignorance, but.
>What would that serve? If they are tying up your lines to prevent
>your serving others, what advantage would holding the line open for
>them serve? Unless the bottleneck is processor time or file access
HTTP is an interactive protocol -
it sends requests and gets responses.
Many spamware web harvesters and other searchers are single-threaded,
or at least few-threaded. So if the spamware is waiting for a response
from you and it's taking a really long time to get it,
then it's bothering your spam trap instead of somebody real.
It also keeps the spammer talking long enough to go hunt
them down and get their ISP to kill them.
And since they're usually searching for any reference on page they get,
and since you have nearly infinite numbers of pages like
./a/a.html... ./a/z.html ..... ./z/z.html which all look pretty similar
it's going to go REAL REAL slow, but each page has lots of unique
email addresses like aaaaaaa1111@bogus.com .... zzzzzzz99999@bogus.com,
which the spamware can collect. How big were those tables again?
It doesn't slow your machine down much to only be sending them a
few characters per second, unlike the performance of a normal web server.
If the robot is multi-threaded instead of single-threaded,
it might take multiple spider traps to keep it totally tied down.
Another way that this traps spiders is that they can normally
only keep some number of open file descriptors happening at once,
and you can keep opening TCP sessions to it, which works if lots
of people are running teergrubes.
Extra credit entertainment can be provided by setting up your DNS server
to serve names for bogus1.bogus.yourdomain.com,
bogus9999.bogus.yourdomain.com ...
You can decide whether to give them 127.0.0.1, 127.0.0.2, 10.1.1.1,
or the IP of some trapping SMTP server that also responds very slowly.
Thanks!
Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
