It's no secret that the Internet is a very hostile environment. As soon as you raise the server, it is instantly subjected to massive attacks and multiple scans. For example you can estimate the scale of this garbage traffic. In fact, on an average server, 99% of the traffic can be malicious.
Tarpit is a trap port that is used to slow down incoming connections. If a third-party system connects to this port, then it will not be possible to quickly close the connection. She will have to waste her system resources and wait until the connection is timed out, or manually terminate it.
Most often, tarpits are used for protection. The technique was first developed to protect against computer worms. And now it can be used to ruin the life of spammers and researchers who are engaged in a wide scan of all IP addresses in a row (examples on HabrΓ©: , ).
One of the system administrators named Chris Wellons, apparently tired of watching this disgrace - and he wrote a small program , an SSH tarpit that slows down incoming connections. The program opens a port (by default, port 2222 is specified for testing) and pretends to be an SSH server, but in fact establishes an endless connection with an incoming client until it gives up. This may go on for several days or more until the client drops off.
Installing the utility:
$ make
$ ./endlessh &
$ ssh -p2222 localhostA properly implemented tarpit will take more resources from an attacker than from you. But it's not even about resources. Author that the program is addictive. Right now he has 27 clients in his trap, some of them connected within weeks. At the peak of activity, 1378 clients sat in the trap for 20 hours!
In operating mode, the Endlessh server must be installed on the usual port 22, where hooligans are knocking en masse. Standard security advice always advises to move SSH to a different port, which immediately reduces the size of the logs by an order of magnitude.
Chris Wellons says his program exploits one paragraph from the spec to the SSH protocol. Immediately after the TCP connection is established, but before cryptography is applied, both parties must send an authentication string. And there's an entry: "The server MAY send other lines of data before sending the version line". And no limit on the amount of this data, you just need to start each line with SSH-.
This is exactly what the Endlessh program does: it sends endless stream of randomly generated data, which comply with RFC 4253, i.e. sent before identification, and each line starts with SSH- and does not exceed 255 characters, including the line ending character. In general, everything is according to the standard.
By default, the program waits 10 seconds between sending packets. This prevents a timeout, so the client will be trapped forever.
Since the data is sent before the cryptography is applied, the program is extremely simple. It does not need to implement any ciphers and support for multiple protocols.
The author tried to make the utility consume a minimum of resources and work completely unnoticed on the machine. Unlike modern antiviruses and other "security systems", it should not slow down the computer. He managed to minimize both traffic and memory consumption due to a slightly more cunning software implementation. If it just started a separate process on a new connection, then potential attackers could conduct a DDoS attack by opening many connections to exhaust resources on the machine. One thread per connection is also not the best option, because the kernel will waste resources on thread management.
Therefore, Chris Wellons chose the most lightweight option for Endlessh: a single-threaded server poll(2), where the clients in the trap consume almost no extra resources, not counting the socket object in the kernel and another 78 bytes to track in Endlessh. In order not to allocate receive and send buffers for each client, Endlessh opens a direct access socket and directly translates TCP packets, ignoring almost the entire TCP/IP stack of the operating system. The incoming buffer is not needed at all, because we are not interested in the incoming data.
The author says that at the time of his program about the existence of Python's asycio and other tarpits. If he knew about asycio, then he could implement his utility in just 18 lines in Python:
import asyncio
import random
async def handler(_reader, writer):
try:
while True:
await asyncio.sleep(10)
writer.write(b'%xrn' % random.randint(0, 2**32))
await writer.drain()
except ConnectionResetError:
pass
async def main():
server = await asyncio.start_server(handler, '0.0.0.0', 2222)
async with server:
await server.serve_forever()
asyncio.run(main())Asyncio is ideal for writing tarpits. For example, this hook will hang Firefox, Chrome, or another client that tries to connect to your HTTP server for many hours:
import asyncio
import random
async def handler(_reader, writer):
writer.write(b'HTTP/1.1 200 OKrn')
try:
while True:
await asyncio.sleep(5)
header = random.randint(0, 2**32)
value = random.randint(0, 2**32)
writer.write(b'X-%x: %xrn' % (header, value))
await writer.drain()
except ConnectionResetError:
pass
async def main():
server = await asyncio.start_server(handler, '0.0.0.0', 8080)
async with server:
await server.serve_forever()
asyncio.run(main())Tarpit is a great tool for punishing online bullies. True, there is some risk, on the contrary, of drawing their attention to the unusual behavior of a particular server. Somebody and a targeted DDoS attack on your IP. However, so far there have been no such cases, and the tarpits work fine.
Hubs:
Python, Information security, Software, System administration
Tags:
SSH, Endlessh, tarpit, trap, asycio
Trap (tarpit) for incoming SSH connections
It's no secret that the Internet is a very hostile environment. As soon as you raise the server, it is instantly subjected to massive attacks and multiple scans. For example you can estimate the scale of this garbage traffic. In fact, on an average server, 99% of the traffic can be malicious.
Tarpit is a trap port that is used to slow down incoming connections. If a third-party system connects to this port, then it will not be possible to quickly close the connection. She will have to waste her system resources and wait until the connection is timed out, or manually terminate it.
Most often, tarpits are used for protection. The technique was first developed to protect against computer worms. And now it can be used to ruin the life of spammers and researchers who are engaged in a wide scan of all IP addresses in a row (examples on HabrΓ©: , ).
One of the system administrators named Chris Wellons, apparently tired of watching this disgrace - and he wrote a small program , an SSH tarpit that slows down incoming connections. The program opens a port (by default, port 2222 is specified for testing) and pretends to be an SSH server, but in fact establishes an endless connection with an incoming client until it gives up. This may go on for several days or more until the client drops off.
Installing the utility:
$ make
$ ./endlessh &
$ ssh -p2222 localhostA properly implemented tarpit will take more resources from an attacker than from you. But it's not even about resources. Author that the program is addictive. Right now he has 27 clients in his trap, some of them connected within weeks. At the peak of activity, 1378 clients sat in the trap for 20 hours!
In operating mode, the Endlessh server must be installed on the usual port 22, where hooligans are knocking en masse. Standard security advice always advises to move SSH to a different port, which immediately reduces the size of the logs by an order of magnitude.
Chris Wellons says his program exploits one paragraph from the spec to the SSH protocol. Immediately after the TCP connection is established, but before cryptography is applied, both parties must send an authentication string. And there's an entry: "The server MAY send other lines of data before sending the version line". And no limit on the amount of this data, you just need to start each line with SSH-.
This is exactly what the Endlessh program does: it sends endless stream of randomly generated data, which comply with RFC 4253, i.e. sent before identification, and each line starts with SSH- and does not exceed 255 characters, including the line ending character. In general, everything is according to the standard.
By default, the program waits 10 seconds between sending packets. This prevents a timeout, so the client will be trapped forever.
Since the data is sent before the cryptography is applied, the program is extremely simple. It does not need to implement any ciphers and support for multiple protocols.
The author tried to make the utility consume a minimum of resources and work completely unnoticed on the machine. Unlike modern antiviruses and other "security systems", it should not slow down the computer. He managed to minimize both traffic and memory consumption due to a slightly more cunning software implementation. If it just started a separate process on a new connection, then potential attackers could conduct a DDoS attack by opening many connections to exhaust resources on the machine. One thread per connection is also not the best option, because the kernel will waste resources on thread management.
Therefore, Chris Wellons chose the most lightweight option for Endlessh: a single-threaded server poll(2), where the clients in the trap consume almost no extra resources, not counting the socket object in the kernel and another 78 bytes to track in Endlessh. In order not to allocate receive and send buffers for each client, Endlessh opens a direct access socket and directly translates TCP packets, ignoring almost the entire TCP/IP stack of the operating system. The incoming buffer is not needed at all, because we are not interested in the incoming data.
The author says that at the time of his program about the existence of Python's asycio and other tarpits. If he knew about asycio, then he could implement his utility in just 18 lines in Python:
import asyncio
import random
async def handler(_reader, writer):
try:
while True:
await asyncio.sleep(10)
writer.write(b'%xrn' % random.randint(0, 2**32))
await writer.drain()
except ConnectionResetError:
pass
async def main():
server = await asyncio.start_server(handler, '0.0.0.0', 2222)
async with server:
await server.serve_forever()
asyncio.run(main())Asyncio is ideal for writing tarpits. For example, this hook will hang Firefox, Chrome, or another client that tries to connect to your HTTP server for many hours:
import asyncio
import random
async def handler(_reader, writer):
writer.write(b'HTTP/1.1 200 OKrn')
try:
while True:
await asyncio.sleep(5)
header = random.randint(0, 2**32)
value = random.randint(0, 2**32)
writer.write(b'X-%x: %xrn' % (header, value))
await writer.drain()
except ConnectionResetError:
pass
async def main():
server = await asyncio.start_server(handler, '0.0.0.0', 8080)
async with server:
await server.serve_forever()
asyncio.run(main())Tarpit is a great tool for punishing online bullies. True, there is some risk, on the contrary, of drawing their attention to the unusual behavior of a particular server. Somebody and a targeted DDoS attack on your IP. However, so far there have been no such cases, and the tarpits work fine.
Source: habr.com