On Mon, 22 Jul 2013, Zack Weinberg wrote:
The CMU Tor exit is seeing about 66 packets/second worth of this (10000 packets, 1151 unique IPs in 149.5 seconds). I don't have time to dig any deeper right now, but on the theory that it's a botnet doing click fraud, I'll pass this along to our cybercrime people.
If this clickfraud bot consumes a thread per connection, it may be possible to overwhelm its available resources by taking as long as possible to answer its requests, known as a tarpit or teergrube.
The kernel-based tarpit I wrote years ago (ipt_TARPIT) would only hold these for a few minutes, so I experimented with getting NginX to reply as slowly as possible using its rate-limiting, and was able to capture and hold open 105,000 connections to port 8118 from 1500 different IPs. However, NginX has a lower bound of one byte per second out of the box, which with TCP packet overhead consumed more bandwidth than I was willing to offer.
I then wrote a simple Go-based HTTP tarpit, which seems to also be effective at capturing a bunch of connections; I'm back up to to 22,000 and very slowly rising.
If anyone else feels like playing with this, feel free to grab http://www.die.net/tools/http-tarpit/http-tarpit.go and install a Go compiler from http://golang.org/doc/install. Build with "go build http-tarpit.go" and then run "./http-tarpit" as a non-root user.
Be careful if you are tight on RAM; it seems to eat a few hundred megs per 10,000 concurrent connections. I haven't tried to optimize this at all.
-- Aaron