Debian TARPIT iptables How To

After recently upgrading some of my servers to Debian Wheezy, I noticed the xtables-addons-dkms package is now available. This means you no longer have to build the iptables modules from source to get tarpit support (and more). If you are not sure what the tarpit target is or why you would want to use it, a basic explaination is that you send unwated TCP traffic to the tarpit target with iptables. All connections are accepted and immediatedly switched to the persist state. The remote side stops sending data and asks to continue every 60-240 seconds and attemts to close the connections from the remote side are ignored. The connection will then timeout in 12-24 minutes.

You might want to do this to slow down and even crash port scans (eg. routed unused ip space to a server with these rules in the forward chain in iptables).


To get started, install the xtables-addons-dkms package:

# apt-get install xtables-addons-dkms

Add rules to send traffic to the tarpit target to suite your needs. Some examples are:

  • Server does not host MSSQL or MySQL database, tarpit those ports:
    iptables -A INPUT -p tcp --dport mysql -j TARPIT
    iptables -A INPUT -p tcp --dport ms-sql-s -j TARPIT
  • Tarpit all TCP connections incoming from the IP address 123.123.123.123:
    iptables -A INPUT -p tcp -s 123.123.123.123 -j TARPIT
  • Tarpit all ports, this would be used as the last rule in an existing firewall in place of a reject/drop rule. If you do not have a reject/drop rule do not use this rule unless you know what you are doing.
    iptables -A INPUT -p tcp -j TARPIT

To test that the above rules are working you can telnet to the host on a port that should go to the tarpit. If the connection works and your connection does not get closed within a few minutes it is working.

As an example of the effect this has on a port scan, I ran nmap on the host before and after. The results speak for themselves:

Before:

me ~ #  nmap -sV 123.123.123.123

Starting Nmap 5.00 ( http://nmap.org ) at 2013-08-11 08:15 WST
Stats: 0:00:52 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
....
Nmap done: 1 IP address (1 host up) scanned in 127.25 seconds

After:

me ~ # nmap -sV 123.123.123.123

Starting Nmap 5.00 ( http://nmap.org ) at 2013-08-11 08:15 WST
Stats: 0:02:15 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 1.40% done; ETC: 10:37 (2:38:18 remaining)
Stats: 0:17:37 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 9.41% done; ETC: 11:04 (2:49:36 remaining)

....(crash)....

me ~ #

Routers between you and the attacker may have issues due to the large amount of connections that will be held open, so make sure you gear can handle it before you try this (the nmap scan as above had a constant 500+ connections open for the tarpit scan alone). This can be an issue if you have a large range routed to the server doing the tarpit.

Posted in iptables, Linux and tagged , , , , .

2 Comments

  1. Pingback: Debian TARPIT iptables How To | Databases, Systems & Networks

  2. Pingback: Debian TARPIT iptables How To | Databases, Systems & Networks

Leave a Reply

Your email address will not be published. Required fields are marked *