Tarpit

andrewluck · October 8, 2005, 10:36am

Just started to use this new feature that arrived with 2.9.

For anyone unfamiliar with the technique, it replies with SYN/ACK to incoming SYN packets. It also sets the MSS to a very small size. The end result is that incoming connections are held open with virtually no data able to flow.

Main use is to slow down automated scanning (CodeRed, Nimda et al).

There are some techniques for using it here:

http://www.securityfocus.com/infocus/1723

Regards

Andrew

bholler · October 8, 2005, 4:49pm

can you please state out the exact feature u are talking, and how it works

andrewluck · October 8, 2005, 5:33pm

Detail on how it works is in the article I quoted. A google search for tarpit will also return some relevent articles.

Use it as an alternative to dropping packets in IP → Firewall → Filter.

I have 3 public IP addresses that are unused so I can assume that any connection attempts to these addresses are ‘bad’ traffic. I have 3 rules that tarpit connections to these addresses. Any worms scanning these IPs are caught which slows down their scanning of other hosts.

Regards

Andrew