From 29f91845300a585b5253b2e1ed3a29f064f31787 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Tue, 12 Dec 2006 10:34:45 +0000 Subject: Move extensions for pom patches to individual patchlets. --- extensions/libipt_TARPIT.man | 34 ---------------------------------- 1 file changed, 34 deletions(-) delete mode 100644 extensions/libipt_TARPIT.man (limited to 'extensions/libipt_TARPIT.man') diff --git a/extensions/libipt_TARPIT.man b/extensions/libipt_TARPIT.man deleted file mode 100644 index 26526b76..00000000 --- a/extensions/libipt_TARPIT.man +++ /dev/null @@ -1,34 +0,0 @@ -Captures and holds incoming TCP connections using no local -per-connection resources. Connections are accepted, but immediately -switched to the persist state (0 byte window), in which the remote -side stops sending data and asks to continue every 60-240 seconds. -Attempts to close the connection are ignored, forcing the remote side -to time out the connection in 12-24 minutes. - -This offers similar functionality to LaBrea - but doesn't require dedicated -hardware or IPs. Any TCP port that you would normally DROP or REJECT -can instead become a tarpit. - -To tarpit connections to TCP port 80 destined for the current machine: -.IP -iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT -.P -To significantly slow down Code Red/Nimda-style scans of unused address -space, forward unused ip addresses to a Linux box not acting as a router -(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP -forwarding on the Linux box, and add: -.IP -iptables -A FORWARD -p tcp -j TARPIT -.IP -iptables -A FORWARD -j DROP -.TP -NOTE: -If you use the conntrack module while you are using TARPIT, you should -also use the NOTRACK target, or the kernel will unnecessarily allocate -resources for each TARPITted connection. To TARPIT incoming -connections to the standard IRC port while using conntrack, you could: -.IP -iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK -.IP -iptables -A INPUT -p tcp --dport 6667 -j TARPIT -- cgit v1.2.3