diff options
author | /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org> | 2005-04-01 06:54:23 +0000 |
---|---|---|
committer | /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org> | 2005-04-01 06:54:23 +0000 |
commit | 6f5d18486aeaabc05d0aaa57708dbf18cc72af5b (patch) | |
tree | e0d8b16f1fe5c33ce1bc2a0e2ab9a68f2e54f96c /extensions/libipt_TARPIT.man | |
parent | 25632080c73a48deff44d81d9f85332141591420 (diff) |
add lots of man pages (Jonas Berlin)
Diffstat (limited to 'extensions/libipt_TARPIT.man')
-rw-r--r-- | extensions/libipt_TARPIT.man | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/extensions/libipt_TARPIT.man b/extensions/libipt_TARPIT.man new file mode 100644 index 0000000..26526b7 --- /dev/null +++ b/extensions/libipt_TARPIT.man @@ -0,0 +1,34 @@ +Captures and holds incoming TCP connections using no local +per-connection resources. Connections are accepted, but immediately +switched to the persist state (0 byte window), in which the remote +side stops sending data and asks to continue every 60-240 seconds. +Attempts to close the connection are ignored, forcing the remote side +to time out the connection in 12-24 minutes. + +This offers similar functionality to LaBrea +<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated +hardware or IPs. Any TCP port that you would normally DROP or REJECT +can instead become a tarpit. + +To tarpit connections to TCP port 80 destined for the current machine: +.IP +iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT +.P +To significantly slow down Code Red/Nimda-style scans of unused address +space, forward unused ip addresses to a Linux box not acting as a router +(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP +forwarding on the Linux box, and add: +.IP +iptables -A FORWARD -p tcp -j TARPIT +.IP +iptables -A FORWARD -j DROP +.TP +NOTE: +If you use the conntrack module while you are using TARPIT, you should +also use the NOTRACK target, or the kernel will unnecessarily allocate +resources for each TARPITted connection. To TARPIT incoming +connections to the standard IRC port while using conntrack, you could: +.IP +iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK +.IP +iptables -A INPUT -p tcp --dport 6667 -j TARPIT |