Ir al contenido principal

Ralsina.Me — El sitio web de Roberto Alsina

Tarpitting works. Here's proof.

I have re­cent­ly en­abled tarpit­ting in one of my cus­tomer's mail server­s.

Tarpit­ting is adding a small de­lay af­ter each re­cip­i­ent (after a cer­tain num­ber of them). The idea is that a mes­sage with a few re­cip­i­ents goes fast, a mes­sage with many goes slow.

So, it should make spam­mers less ef­fi­cien­t.

Some mail ad­min­is­tra­tors say tarpit­ting does­n't work. That spam­mer­s, in­stead of send­ing a zil­lion mails over one con­nec­tion, send a few over each of a zil­lion con­nec­tion­s.

But a zil­lion con­nec­tions are more ex­pen­sive for the spam­mer! Or at least slow­er.

Well, I have proof that it does work. Sure, some­thing like a per-ip lim­it on con­cur­rent SMTP con­nec­tions is a good com­ple­men­t, but even naïve tarpit­ting, all by it­self, has a good ef­fec­t.

Since I en­abled it, peak mes­sage rate is down 60%, av­er­age is down 40%. Pret­ty good!

But a pic­ture is worth 1000 word­s...

Why isn't this in the kernel?

The nth mod­ule for ipt­a­bles.

This nifty gad­get lets you match the nth pack­et to a rule.

What for? Well, sup­pose you have two links, and have im­ple­ment­ed split ac­cess as per the LARTC

Ac­cord­ing to the same LARTC, you can im­ple­ment per-route load bal­anc­ing by cre­at­ing a mul­ti­path route.

That works well... as long as the traf­fic orig­i­nates on the fire­wall it­self (say, us­ing a Squid).

If the traf­fic comes from a SNATd sub­net, it break­s, be­cause you SNAT (or MASQ) it to one of your ex­ter­nal IP­s, and then it's rout­ed on­ly through that link, for ob­vi­ous rea­sons 1

You can route based on orig­i­nal source IP, so you can tell half the box­es to go left, and the oth­er half to go right.

And then if the client box­es are used un­even­ly, your bal­anc­ing suck­s.

So, what's the so­lu­tion? Match ev­ery sec­ond state NEW pack­et over each link.

Since ipt­a­bles's MASQ or SNAT will make the state ES­TAB­LISHED,RE­LAT­ED pack­ets fol­low the lead­er, each con­nec­tion al­ter­na­tive­ly routes left or right.

While not 100% right (y­ou can be un­lucky and re­di­rect all long con­nec­tions on the same link), it is much bet­ter than the sim­ple al­ter­na­tives, and much sim­pler than the bet­ter al­ter­na­tives.

But hey, nth is on­ly on patchomat­ic. And Red Hat's (Fe­do­ra's) ker­nel makes patchomat­ic go nut­s.

So it's cus­tom-k­er­nel-­com­pil­ing time, and I hate do­ing that. Re­al­ly, this patch seems sim­ple. Why is it not in?


If you rout­ed it through the oth­er, your ISP would re­ject the pack­et­s, be­cause the ori­gin IP is for­eign to him.

Accuracy in reporting

If it was­n´t so pa­thet­ic, it may be fun­nier.

A while ago, a glacier col­lapsed. This is a pe­ri­od­i­cal even­t, and a huge tourist at­trac­tion. Huge slabs of ice crash­ing down, and you can watch it from a safe dis­tance.


Now, here comes the re­port­ing.

The BBC:

A mas­sive pond builds up be­hind the wall of snow be­fore get­ting too heavy for the ice to hold and smash­ing down in­to the sea be­low.

Hm­m­m... well, that´s a lake. But what the heck, the ocean is on­ly a few hun­dred kilo­me­ters away. Over the An­des, cross­ing Chile.

WISTV (what­ev­er that is):

No one hurt when por­tion of Ar­gen­tinean glacier col­laps­es

Noone has ev­er been hurt by this. Ev­ery­one knew it was col­laps­ing, to be hurt you would have to get on a boat and cross a very very cold lake, too. And be the stu­pid­est man on earth, since there were huge chunks of ice fall­ing ev­ery few min­utes since two days ago.

Hel­l, there´s park rangers and it´s for­bid­den to ap­proach the glacier from the wa­ter!

Oh, and it´s not an ice shelf.

But any­way, if you want to see at least the video, it´s re­al­ly cool :-) It´s in this page, but I can´t link it: VIDEO

Getting paid for writing

I have de­cid­ed I don´t suck at writ­ing tech­ni­cal ar­ti­cles. I am not all that great, but I don´t suck.

And I am quick, too.

So, I have de­cid­ed I would like to get paid. I tried send­ing email to ed­i­tors@news­ (they claim to pay for con­tent) but have not got­ten even a "no thanks" re­sponse. Maybe they are slow­ish ;-)

Any­one knows any oth­er sources of in­come for some­one who can write de­cent short tech­ni­cal ar­ti­cles?

I think I will con­tact Lin­ux­World and Lin­ux Jour­nal, but they are a bit too ... high lev­el. You know. Re­al mag­a­zines ;-)

I on­ly mean for this to pay a few buck­s, it´s not what I in­tend on liv­ing from ;-)

In the mean­time, I will con­tin­ue writ­ing one or two ar­ti­cles a week, any­way!

Contents © 2000-2020 Roberto Alsina