After recently upgrading some of my servers to Debian Wheezy, I noticed the
xtables-addons-dkms package is now available. This means you no longer have to build the iptables modules from source to get tarpit support (and more). If you are not sure what the tarpit target is or why you would want to use it, a basic explaination is that you send unwated TCP traffic to the tarpit target with iptables. All connections are accepted and immediatedly switched to the persist state. The remote side stops sending data and asks to continue every 60-240 seconds and attemts to close the connections from the remote side are ignored. The connection will then timeout in 12-24 minutes.
You might want to do this to slow down and even crash port scans (eg. routed unused ip space to a server with these rules in the forward chain in iptables).
To get started, install the
# apt-get install xtables-addons-dkms
Add rules to send traffic to the tarpit target to suite your needs. Some examples are:
- Server does not host MSSQL or MySQL database, tarpit those ports:
iptables -A INPUT -p tcp --dport mysql -j TARPIT
iptables -A INPUT -p tcp --dport ms-sql-s -j TARPIT
- Tarpit all TCP connections incoming from the IP address 220.127.116.11:
iptables -A INPUT -p tcp -s 18.104.22.168 -j TARPIT
- Tarpit all ports, this would be used as the last rule in an existing firewall in place of a reject/drop rule. If you do not have a reject/drop rule do not use this rule unless you know what you are doing.
iptables -A INPUT -p tcp -j TARPIT
To test that the above rules are working you can telnet to the host on a port that should go to the tarpit. If the connection works and your connection does not get closed within a few minutes it is working.
As an example of the effect this has on a port scan, I ran
nmap on the host before and after. The results speak for themselves:
me ~ # nmap -sV 22.214.171.124 Starting Nmap 5.00 ( http://nmap.org ) at 2013-08-11 08:15 WST Stats: 0:00:52 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 0.00% done .... Nmap done: 1 IP address (1 host up) scanned in 127.25 seconds
me ~ # nmap -sV 126.96.36.199 Starting Nmap 5.00 ( http://nmap.org ) at 2013-08-11 08:15 WST Stats: 0:02:15 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 1.40% done; ETC: 10:37 (2:38:18 remaining) Stats: 0:17:37 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 9.41% done; ETC: 11:04 (2:49:36 remaining) ....(crash).... me ~ #
Routers between you and the attacker may have issues due to the large amount of connections that will be held open, so make sure you gear can handle it before you try this (the nmap scan as above had a constant 500+ connections open for the tarpit scan alone). This can be an issue if you have a large range routed to the server doing the tarpit.