March 26, 2019 at 09:34Trap (tarp) for incoming SSH connections
It is no secret that the Internet is a very hostile environment. As soon as you lift the server, it instantly undergoes massive attacks and multiple scans. On the example of a security guard hanipot, one can estimate the scale of this junk traffic. In fact, on an average server, 99% of the traffic can be malicious.
Tarpit is a trap port that is used to slow down incoming connections. If a third-party system connects to this port, it will not work to close the connection quickly. She will have to spend her system resources and wait until the connection is interrupted by a timeout, or manually break it.
Most often, tarpits are used for protection. The technique was first developed to protect against computer worms. And now it can be used to spoil the life of spammers and researchers who are engaged in a wide scan of all IP addresses in a row (examples on Habré: Austria , Ukraine ).
One of the sysadmins by the name of Chris Wellons, apparently tired of watching this disgrace - and he wrote a small program Endlessh , tarpit for SSH, slowing down incoming connections. The program opens the port (by default port 2222 is specified for testing) and pretends to be an SSH server, but in fact it establishes an endless connection with the incoming client until it surrenders. This can last several days or more until the client falls off.
Utility Installation:
A properly implemented tarpit will take away more resources from the attacker than you. But the matter is not even in the resources. The author writes that the program is addictive. There are 27 clients trapped right now, some of them connected for weeks. At the peak of activity, 1378 clients sat in the trap for 20 hours!
In operating mode, the Endlessh server needs to be installed on regular port 22, where hooligans are massively knocking. Standard security recommendations always advise moving SSH to a different port, which immediately reduces log sizes by an order of magnitude.
Chris Wellons says his program exploits one paragraph of RFC 4253to the SSH protocol. Immediately after establishing a TCP connection, but before applying cryptography, both parties should send an identification string. And there is a note: "The server MAY send other rows of data before sending the row with the version . " And there is no limit on the amount of this data, just every line cannot be started with
This is what Endlessh does: it sends an endless stream of randomly generated data that complies with RFC 4253, that is, it is sent before identification, and each line does not start with
By default, the program waits 10 seconds between sending packets. This prevents a timeout trip so that the client will be trapped forever.
Since data is sent before cryptography is applied, the program is exceptionally simple. It does not need to implement any ciphers and support for multiple protocols.
The author tried to make the utility consume a minimum of resources and work absolutely seamlessly on the machine. Unlike modern antiviruses and other "security systems", it should not slow down the computer. He managed to minimize both traffic and memory consumption due to a slightly more cunning software implementation. If he simply started a separate process on a new connection, then potential attackers could conduct a DDoS attack, opening up many connections to exhaust resources on the machine. One thread per connection is also not the best option, because the kernel will spend resources on thread management.
Therefore, Chris Wellons chose the most lightweight option for Endlessh: a single-threaded server
The author says that at the time of his program he did not know about the existence of the Python Asycio and other tarpits. If he knew about asycio, then he could implement his utility in just 18 lines in Python:
Asyncio is perfect for writing tarpit. For example, such a trap will hang Firefox, Chrome or another client that is trying to connect to your HTTP server for many hours:
Tarpit is a great tool for punishing online bullies. True, there is some risk, on the contrary, to draw their attention to the unusual behavior of a particular server. Someone might think of revenge and a targeted DDoS attack on your IP. However, so far there have been no such cases, and tarpit work fine.
SPECIAL CONDITIONS for PKI solutions for small and medium-sized businesses until 11/30/2019 by promo code AL003HRFR. Offer valid for new customers. For details, contact the managers +7 (499) 678 2210, sales-ru@globalsign.com.
Tarpit is a trap port that is used to slow down incoming connections. If a third-party system connects to this port, it will not work to close the connection quickly. She will have to spend her system resources and wait until the connection is interrupted by a timeout, or manually break it.
Most often, tarpits are used for protection. The technique was first developed to protect against computer worms. And now it can be used to spoil the life of spammers and researchers who are engaged in a wide scan of all IP addresses in a row (examples on Habré: Austria , Ukraine ).
One of the sysadmins by the name of Chris Wellons, apparently tired of watching this disgrace - and he wrote a small program Endlessh , tarpit for SSH, slowing down incoming connections. The program opens the port (by default port 2222 is specified for testing) and pretends to be an SSH server, but in fact it establishes an endless connection with the incoming client until it surrenders. This can last several days or more until the client falls off.
Utility Installation:
$ make
$ ./endlessh &
$ ssh -p2222 localhostA properly implemented tarpit will take away more resources from the attacker than you. But the matter is not even in the resources. The author writes that the program is addictive. There are 27 clients trapped right now, some of them connected for weeks. At the peak of activity, 1378 clients sat in the trap for 20 hours!
In operating mode, the Endlessh server needs to be installed on regular port 22, where hooligans are massively knocking. Standard security recommendations always advise moving SSH to a different port, which immediately reduces log sizes by an order of magnitude.
Chris Wellons says his program exploits one paragraph of RFC 4253to the SSH protocol. Immediately after establishing a TCP connection, but before applying cryptography, both parties should send an identification string. And there is a note: "The server MAY send other rows of data before sending the row with the version . " And there is no limit on the amount of this data, just every line cannot be started with
SSH-. This is what Endlessh does: it sends an endless stream of randomly generated data that complies with RFC 4253, that is, it is sent before identification, and each line does not start with
SSH-and does not exceed 255 characters, including the line terminator. In general, everything is standard.By default, the program waits 10 seconds between sending packets. This prevents a timeout trip so that the client will be trapped forever.
Since data is sent before cryptography is applied, the program is exceptionally simple. It does not need to implement any ciphers and support for multiple protocols.
The author tried to make the utility consume a minimum of resources and work absolutely seamlessly on the machine. Unlike modern antiviruses and other "security systems", it should not slow down the computer. He managed to minimize both traffic and memory consumption due to a slightly more cunning software implementation. If he simply started a separate process on a new connection, then potential attackers could conduct a DDoS attack, opening up many connections to exhaust resources on the machine. One thread per connection is also not the best option, because the kernel will spend resources on thread management.
Therefore, Chris Wellons chose the most lightweight option for Endlessh: a single-threaded server
poll(2), where clients in the trap practically do not consume extra resources, not counting the socket object in the kernel and another 78 bytes for tracking in Endlessh. In order not to allocate receive and send buffers for each client, Endlessh opens a direct access socket and directly translates TCP packets, ignoring almost the entire TCP / IP stack of the operating system. The input buffer is not needed at all, because the input data does not interest us. The author says that at the time of his program he did not know about the existence of the Python Asycio and other tarpits. If he knew about asycio, then he could implement his utility in just 18 lines in Python:
import asyncio
import random
async def handler(_reader, writer):
try:
while True:
await asyncio.sleep(10)
writer.write(b'%x\r\n' % random.randint(0, 2**32))
await writer.drain()
except ConnectionResetError:
pass
async def main():
server = await asyncio.start_server(handler, '0.0.0.0', 2222)
async with server:
await server.serve_forever()
asyncio.run(main())Asyncio is perfect for writing tarpit. For example, such a trap will hang Firefox, Chrome or another client that is trying to connect to your HTTP server for many hours:
import asyncio
import random
async def handler(_reader, writer):
writer.write(b'HTTP/1.1 200 OK\r\n')
try:
while True:
await asyncio.sleep(5)
header = random.randint(0, 2**32)
value = random.randint(0, 2**32)
writer.write(b'X-%x: %x\r\n' % (header, value))
await writer.drain()
except ConnectionResetError:
pass
async def main():
server = await asyncio.start_server(handler, '0.0.0.0', 8080)
async with server:
await server.serve_forever()
asyncio.run(main())Tarpit is a great tool for punishing online bullies. True, there is some risk, on the contrary, to draw their attention to the unusual behavior of a particular server. Someone might think of revenge and a targeted DDoS attack on your IP. However, so far there have been no such cases, and tarpit work fine.
SPECIAL CONDITIONS for PKI solutions for small and medium-sized businesses until 11/30/2019 by promo code AL003HRFR. Offer valid for new customers. For details, contact the managers +7 (499) 678 2210, sales-ru@globalsign.com.