| Jonas Berlin | f33c461 | 2005-04-01 06:54:23 +0000 | [diff] [blame] | 1 | Captures and holds incoming TCP connections using no local |
| 2 | per-connection resources. Connections are accepted, but immediately |
| 3 | switched to the persist state (0 byte window), in which the remote |
| 4 | side stops sending data and asks to continue every 60-240 seconds. |
| 5 | Attempts to close the connection are ignored, forcing the remote side |
| 6 | to time out the connection in 12-24 minutes. |
| 7 | |
| 8 | This offers similar functionality to LaBrea |
| 9 | <http://www.hackbusters.net/LaBrea/> but doesn't require dedicated |
| 10 | hardware or IPs. Any TCP port that you would normally DROP or REJECT |
| 11 | can instead become a tarpit. |
| 12 | |
| 13 | To tarpit connections to TCP port 80 destined for the current machine: |
| 14 | .IP |
| 15 | iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT |
| 16 | .P |
| 17 | To significantly slow down Code Red/Nimda-style scans of unused address |
| 18 | space, forward unused ip addresses to a Linux box not acting as a router |
| 19 | (e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP |
| 20 | forwarding on the Linux box, and add: |
| 21 | .IP |
| 22 | iptables -A FORWARD -p tcp -j TARPIT |
| 23 | .IP |
| 24 | iptables -A FORWARD -j DROP |
| 25 | .TP |
| 26 | NOTE: |
| 27 | If you use the conntrack module while you are using TARPIT, you should |
| 28 | also use the NOTRACK target, or the kernel will unnecessarily allocate |
| 29 | resources for each TARPITted connection. To TARPIT incoming |
| 30 | connections to the standard IRC port while using conntrack, you could: |
| 31 | .IP |
| 32 | iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK |
| 33 | .IP |
| 34 | iptables -A INPUT -p tcp --dport 6667 -j TARPIT |