Found a very nice article on creating and using tarpits to foil potentially malicious intruders:
http://www.securityfocus.com/infocus/1723
"The concept behind a tarpit is fairly simple. The connections come in, but they don't get back out. IPtables handles this by allowing a tarpitted port to accept any incoming TCP connection. When data transfer begins to occur, the TCP window size is set to zero, so no data can be transferred within the session. The connection is then held open, and any requests by the remote side to close the session are ignored. This means that the attacker must wait for the connection to timeout in order to disconnect. This kind of behavior is bad news for automated scanning tools (like worms) because they rely on a quick turnaround from their potential victims."
So rather than REJECT or DROP packets from unwanted machines, you can now put them in a tarpit.
My question is, how can one tell if the kernel already has the TARPIT feature compiled in? The article is from August, 2003. However, on my FC3 box running a 2.6.9 kernel with iptables v1.2.11, I don't see any reference to TARPIT in the man pages.
Regards, - Robert http://www.cwelug.org/downloads Help others get OpenSource software. Distribute FLOSS for Windows, Linux, *BSD, and MacOS X with BitTorrent
_______________________________________________
CWE-LUG mailing list
http://www.cwelug.org/ [email protected]
http://lists.firepipe.net/listinfo/cwe-lug
