diff options
author | Patrick McHardy <kaber@trash.net> | 2006-12-12 10:34:45 +0000 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2006-12-12 10:34:45 +0000 |
commit | 29f91845300a585b5253b2e1ed3a29f064f31787 (patch) | |
tree | c2d20f2b9cf400e1fe52cf9790b1e554b2b67407 /extensions/libipt_TARPIT.man | |
parent | e78c69c8146c5dcd096ba13ac03d7a7bb90e3ea7 (diff) |
Move extensions for pom patches to individual patchlets.
Diffstat (limited to 'extensions/libipt_TARPIT.man')
-rw-r--r-- | extensions/libipt_TARPIT.man | 34 |
1 files changed, 0 insertions, 34 deletions
diff --git a/extensions/libipt_TARPIT.man b/extensions/libipt_TARPIT.man deleted file mode 100644 index 26526b76..00000000 --- a/extensions/libipt_TARPIT.man +++ /dev/null @@ -1,34 +0,0 @@ -Captures and holds incoming TCP connections using no local -per-connection resources. Connections are accepted, but immediately -switched to the persist state (0 byte window), in which the remote -side stops sending data and asks to continue every 60-240 seconds. -Attempts to close the connection are ignored, forcing the remote side -to time out the connection in 12-24 minutes. - -This offers similar functionality to LaBrea -<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated -hardware or IPs. Any TCP port that you would normally DROP or REJECT -can instead become a tarpit. - -To tarpit connections to TCP port 80 destined for the current machine: -.IP -iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT -.P -To significantly slow down Code Red/Nimda-style scans of unused address -space, forward unused ip addresses to a Linux box not acting as a router -(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP -forwarding on the Linux box, and add: -.IP -iptables -A FORWARD -p tcp -j TARPIT -.IP -iptables -A FORWARD -j DROP -.TP -NOTE: -If you use the conntrack module while you are using TARPIT, you should -also use the NOTRACK target, or the kernel will unnecessarily allocate -resources for each TARPITted connection. To TARPIT incoming -connections to the standard IRC port while using conntrack, you could: -.IP -iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK -.IP -iptables -A INPUT -p tcp --dport 6667 -j TARPIT |