In article <[EMAIL PROTECTED]>, Aaron Hopkins <[EMAIL PROTECTED]> wrote: >Here's a minimalist patch-in-patch against 1.2.6a to add a >"--reject-with tcp-synack" option to the REJECT extension. >TCP SYN packets are replied to with a valid SYN-ACK, all others are >dropped.
[...] >This offers the same functionality as LaBrea - The Tarpit ><http://www.hackbusters.net/LaBrea/> but doesn't require dedicated >hardware or IPs. Any TCP port that you would normally DROP or >REJECT can instead become a tarpit This has been bugging me for an entire week, and I've just now figured out why. No patch is required, you can already do this with REDIRECT. iptables -t mangle -A PREROUTING -d ... --proto tcp \ --dport ... --syn -j REDIRECT --to-ports 1234 iptables -t mangle -A PREROUTING -d ... --proto tcp \ --dport ... ! --syn -j DROP Put any TCP server on port 1234 (you don't need a real one, it will never accept(), so putting /bin/false in /etc/inetd.conf will do), add a route to a fake netmask that goes to a dummy net device, enable proxy ARP, add boiling water, stir, and you have an instant tarpit. How does it work? A SYN packet comes in, and goes to the listening socket. The listening socket does not actually register a connection in user-space, it just adds an entry to the listen queue. A SYN ACK packet is sent to the client. The client now thinks the connection is established, so it merrily sends a non-SYN ACK packet and maybe some data. Our fearless firewall gleefully drops these packets, so the connection never gets established on our end. OK, but what happens when the listen backlog fills up? Well, the kernel simply assumes it's under a SYN flood attack, so it bravely parries using wafer-thin SYNcookies that taste just like regular cookies, except they're low in fat. Back in the dark ages when spammers could be effectively filtered by blocking their IP at your SMTP port (ah, the good old days...), I used this sort of thing to waste their spambots' precious time. That was with ipfwadm! Iptables can probably do it too. ;-) -- Zygo Blaxell (Laptop) <[EMAIL PROTECTED]> GPG = D13D 6651 F446 9787 600B AD1E CCF3 6F93 2823 44AD
