On Wed, 31 Oct 2007, Rex Johnston wrote:
This has been going on for years. It's definitely a `bot, as it can cause a significant jump in traffic (and your bill).
Grr. Hmm. This looks like what I want.. ---------------------------------------------------------------------- http://www.netfilter.org/projects/patch-o-matic/pom-extra.html Adds a TARPIT target to iptables, which captures and holds incoming TCP connections using no local per-connection resources. Connections are accepted, but immediately switched to the persist state (0 byte window), in which the remote side stops sending data and asks to continue every 60-240 seconds. Attempts to close the connection are ignored, forcing the remote side to time out the connection in 12-24 minutes. This offers similar functionality to LaBrea <http://www.hackbusters.net/LaBrea/> but doesn't require dedicated hardware or IPs. Any TCP port that you would normally DROP or REJECT can instead become a tarpit. To tarpit connections to TCP port 80 destined for the current machine: iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT To significantly slow down Code Red/Nimda-style scans of unused address space, forward unused ip addresses to a Linux box not acting as a router (e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP forwarding on the Linux box, and add: iptables -A FORWARD -p tcp -j TARPIT iptables -A FORWARD -j DROP ---------------------------------------------------------------------- Maybe I'll also forward all incoming tcp's ports apart from the one I'm using for ssh to the tarpit. John Carter Phone : (64)(3) 358 6639 Tait Electronics Fax : (64)(3) 359 4632 PO Box 1645 Christchurch Email : [EMAIL PROTECTED] New Zealand
