[tastroder]

> ssh tarpit

Interesting, like slow request attacks in reverse? Is that actually useful for something? It seems like that would just needlessly burn resources on your end. The majority of attacks on my instance seem to have come from other infected routers/devices/etc. that pretty much perform these attacks for free.

[IanGabes]

Depends on your goals! If you are defending a network, increasing the cost of attack is something we actively try to optimize for. It costs me next to nothing to hold a socket open and send a keep alive every 15 seconds or so, in addition to the extra threat intel from the initial connection.

You might have a point, and maybe i should try to turn these subjective feelings into harder metrics in terms of cost, but we have figured at this point it has a net good. If we slow the scanning down by a magnitude, in my opinion its a good thing!

[tastroder]

Ah, sure, if it works why not, I would have expected most scans being too distributed for this to have noticable impact. Thanks for the explanation.

[bediger4000]

Is there any research on what proportion of services (ssh, telnet, FTP, WordPress) have to be honey pots or tar pits for it to make a difference?

I've been running honey pots or tar pits for years out of a belief that anyone who can has an ethical duty to do so, to slow down the attacks on those who can't.

[IanGabes]

I havent seen anything terribly relevant, most of the thesis projects i have seen are more interested in creating realistic and believable honeypots for specific protocols, eg RDP.

In my experience, honeypots and tarpits are not the same sort of thing, and fufill different goals. Tarpits get you more utilitarian good, honeypots get you more representative threat intel.

[bediger4000]

Thank you, and good points. From the view point of increasing the utility of scanning for weak-password ssh ports, a honeypot and a tarpit are both entities the human setting up the scanning would like to avoid. I think that ultimately a human looking for easily-guessed ssh or telnet or whatever passwords would want to avoid tarpits and honeypots equally. They might have to code differently for a tarpit than a honeypot, but the goal would be to detect and avoid instances of both things. What proportion of "something to detect and avoid" would cause a scanner to be less than profitable, or just give up?

To illustrate: I've been giving the people that staff robocaller's "service centers" a hard time for years. I believe that my phone number is in some of their systems as a "bad actor" - I've occasionally heard an audible, computer-generated voice telling the "service rep" that this is a known troublesome number. They also occasionally hang up on me a sentence in to the script. I usually tell them I'm Edward Snowden, but you can call me Ed. That gets a hangup maybe 5% of the time. So giving them a hard time wastes their resources enough that at least a few boiler room/"service centers" put effort towards avoiding me, and the few others like me. What proportion of resource-wasters would it take to make them quit?