Here's a minimalist patch-in-patch against 1.2.6a to add a "--reject-with tcp-synack" option to the REJECT extension. TCP SYN packets are replied to with a valid SYN-ACK, all others are dropped.
This will leave incoming connections in the ESTABLISHED state on the remote side, significantly slowing down Code Red or Nimda-style scans of the entire IP space, but requiring no local per-connection resources. This offers the same functionality as LaBrea - The Tarpit <http://www.hackbusters.net/LaBrea/> but doesn't require dedicated hardware or IPs. Any TCP port that you would normally DROP or REJECT can instead become a tarpit: Example: iptables -A INPUT -p tcp -m tcp --dport 80 -j REJECT --reject-with tcp-synack No attempt is made to disguise ourselves as a real TCP stack, so things like the sequence number are left at 0. -- Aaron --- diff -urP iptables-1.2.6a/patch-o-matic/extra/ipt_REJECT-tcp-synack.patch iptables-1.2.6a.syn-ack/patch-o-matic/extra/ipt_REJECT-tcp-synack.patch --- iptables-1.2.6a/patch-o-matic/extra/ipt_REJECT-tcp-synack.patch Wed Dec 31 16:00:00 1969 +++ iptables-1.2.6a.syn-ack/patch-o-matic/extra/ipt_REJECT-tcp-synack.patch Thu +Mar 28 22:34:46 2002 @@ -0,0 +1,67 @@ +diff -r -u linux-2.4.18/include/linux/netfilter_ipv4/ipt_REJECT.h +linux-2.4.18-synack/include/linux/netfilter_ipv4/ipt_REJECT.h +--- linux-2.4.18/include/linux/netfilter_ipv4/ipt_REJECT.h Fri Jul 14 12:20:23 +2000 ++++ linux-2.4.18-synack/include/linux/netfilter_ipv4/ipt_REJECT.h Thu Mar 28 +21:06:58 2002 +@@ -9,7 +9,8 @@ + IPT_ICMP_ECHOREPLY, + IPT_ICMP_NET_PROHIBITED, + IPT_ICMP_HOST_PROHIBITED, +- IPT_TCP_RESET ++ IPT_TCP_RESET, ++ IPT_TCP_SYNACK + }; + + struct ipt_reject_info { +diff -r -u linux-2.4.18/net/ipv4/netfilter/ipt_REJECT.c +linux-2.4.18-synack/net/ipv4/netfilter/ipt_REJECT.c +--- linux-2.4.18/net/ipv4/netfilter/ipt_REJECT.c Sat Oct 6 08:50:28 2001 ++++ linux-2.4.18-synack/net/ipv4/netfilter/ipt_REJECT.c Thu Mar 28 21:01:38 +2002 +@@ -32,8 +32,8 @@ + attach(new_skb, nfct); + } + +-/* Send RST reply */ +-static void send_reset(struct sk_buff *oldskb, int local) ++/* Send RST or SYN-ACK reply */ ++static void send_tcp_reject(struct sk_buff *oldskb, int local, int synack) + { + struct sk_buff *nskb; + struct tcphdr *otcph, *tcph; +@@ -50,10 +50,14 @@ + otcph = (struct tcphdr *)((u_int32_t*)oldskb->nh.iph + oldskb->nh.iph->ihl); + otcplen = oldskb->len - oldskb->nh.iph->ihl*4; + +- /* No RST for RST. */ ++ /* No RST or ACK for RST. */ + if (otcph->rst) + return; + ++ /* No ACK for anything but a SYN. */ ++ if (synack && (!otcph->syn || otcph->ack)) ++ return; ++ + /* Check checksum. */ + if (tcp_v4_check(otcph, otcplen, oldskb->nh.iph->saddr, + oldskb->nh.iph->daddr, +@@ -101,7 +105,10 @@ + + /* Reset flags */ + ((u_int8_t *)tcph)[13] = 0; +- tcph->rst = 1; ++ if (synack) ++ tcph->syn = 1; ++ else ++ tcph->rst = 1; + tcph->ack = needs_ack; + + tcph->window = 0; +@@ -308,7 +315,10 @@ + send_unreach(*pskb, ICMP_HOST_ANO); + break; + case IPT_TCP_RESET: +- send_reset(*pskb, hooknum == NF_IP_LOCAL_IN); ++ send_tcp_reject(*pskb, hooknum == NF_IP_LOCAL_IN, 0); ++ break; ++ case IPT_TCP_SYNACK: ++ send_tcp_reject(*pskb, hooknum == NF_IP_LOCAL_IN, 1); + case IPT_ICMP_ECHOREPLY: + /* Doesn't happen. */ + break; diff -urP iptables-1.2.6a/patch-o-matic/extra/ipt_REJECT-tcp-synack.patch.help iptables-1.2.6a.syn-ack/patch-o-matic/extra/ipt_REJECT-tcp-synack.patch.help --- iptables-1.2.6a/patch-o-matic/extra/ipt_REJECT-tcp-synack.patch.help Wed Dec 31 16:00:00 1969 +++ iptables-1.2.6a.syn-ack/patch-o-matic/extra/ipt_REJECT-tcp-synack.patch.help + Thu Mar 28 22:34:46 2002 @@ -0,0 +1,17 @@ +Author: Aaron Hopkins <[EMAIL PROTECTED]> + +Adds a "--reject-with tcp-synack" option to the REJECT extension. TCP SYN +packets are replied to with a valid SYN-ACK, all others are dropped. + +This will leave incoming connections in the ESTABLISHED state on the +remote side, significantly slowing down Code Red or Nimda-style scans +of the entire IP space, but requiring no local per-connection resources. + +This offers the same functionality as LaBrea - The Tarpit +<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated +hardware or IPs. Any TCP port that you would normally DROP or +REJECT can instead become a tarpit: + +Example: + + iptables -A INPUT -p tcp -m tcp --dport 80 -j REJECT --reject-with tcp-synack diff -urP iptables-1.2.6a/patch-o-matic/extra/ipt_REJECT-tcp-synack.patch.userspace iptables-1.2.6a.syn-ack/patch-o-matic/extra/ipt_REJECT-tcp-synack.patch.userspace --- iptables-1.2.6a/patch-o-matic/extra/ipt_REJECT-tcp-synack.patch.userspace Wed Dec 31 16:00:00 1969 +++ iptables-1.2.6a.syn-ack/patch-o-matic/extra/ipt_REJECT-tcp-synack.patch.userspace + Thu Mar 28 23:09:27 2002 @@ -0,0 +1,14 @@ +diff -r -u extensions/libipt_REJECT.c +iptables-1.2.6a-tcp-ack/extensions/libipt_REJECT.c +--- extensions/libipt_REJECT.c Thu Mar 14 03:10:27 2002 ++++ extensions/libipt_REJECT.c Thu Mar 28 21:08:34 2002 +@@ -35,7 +35,9 @@ + {"icmp-host-prohibited", "host-prohib", + IPT_ICMP_HOST_PROHIBITED, "ICMP host prohibited"}, + {"tcp-reset", "tcp-reset", +- IPT_TCP_RESET, "TCP RST packet"} ++ IPT_TCP_RESET, "TCP RST packet"}, ++ {"tcp-synack", "tcp-synack", ++ IPT_TCP_SYNACK, "TCP SYN-ACK packet"} + }; + + static void
