IT Connections Newsletter Logo The UF Office of Information Technology Newsletter
UF Wordmark Security Team Creates "Tar-pit" to Foil Netsky

On April 20th we learned that a new variant of the "Netsky" e-mail virus, which was spreading across the Internet, had been programmed to attack a UF Health Science Center website. Beginning on April 28th, every Netsky.X-infected computer in the world would join in the attack.

We considered several options; but because we wanted to stop the attack without also blocking legitimate users of the site, we chose an experimental technique called a "tarpit." The tarpit traps attackers and tries to slow down their connections, as if they were stuck in tar. This keeps them tied up and unable to launch as many attacks; meanwhile legitimate users are redirected to the real website.

Chuck Logan wrote the tarpit software and Jordan Wiens configured the server; others in Network Services offered valuable help. As the traffic increased we were forced to continuously re-write the software for greater performance. At the peak of the attack, 52 million packets (or 3.1 gigabytes) per hour were directed at the tarpit.

The tarpit was a success; we kept user service going through most of the attack, and learned valuable lessons that can be shared with others in the Internet community.

Return to IT Connections current issue, top page.
Posted for June 2004 issue on 27 May 2004 by