top | item 29010808

(no title)

Slade1 | 4 years ago

If you're aware that someone is doing penetration tests on your system, but their probing isn't significantly costing you resources, wouldn't you instead just give some generic response to not clue them into you knowing their intention? There's a lot of people who basically do that with scam callers by just leading them on and wasting the scammers time.

discuss

LinuxBender|4 years ago

I used to do something along this line. If I saw a bot then I would use ACL's in haproxy to serve up some static pages from memory that contained strings their request was looking for. This of course attracted more bots. It didn't cost me anything aside from making my logs a bit more noisy, so I disabled logging for the bots. Then I found a funny side effect of shodan showing my nodes being vulnerable to many things. That was a blemish so I disabled the ACL's. In hind-sight and knowing how bot farms work it wasn't really wasting anyone's time or resources but was a fun little learning exercise.

verdverm|4 years ago

I wonder if zip bomb like responses will still work for the majority of bots

https://blog.haschek.at/post/f2fda

hyperman1|4 years ago

Send them redirects to a russian governemental site. They'll take care of it

arthurcolle|4 years ago

This could be seen as abuse by the .ru and .su folks

Waterluvian|4 years ago

Redirect to a honeypot as a service that utterly wastes someone’s time.

t0mas88|4 years ago

You could but it's extra work to build that into the application while you could use a generic off the shelf WAF / IDS type solution that just blocks them. Won't fully stop a targeted manual attack but it is enough to make bots move on to their next target. And it slows down any manual reconnaissance work.

saurik|4 years ago

Blocking someone is still more generic than returning a specific HTTP response code specifically designed to inform the other party of your suspicion.