From owner-freebsd-net@FreeBSD.ORG Sun Jan 18 11:04:57 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4CA44106566B for ; Sun, 18 Jan 2009 11:04:57 +0000 (UTC) (envelope-from john@roof1.dnepro.net) Received: from roof1.dnepro.net (a66.dnepro.net [212.3.111.66]) by mx1.freebsd.org (Postfix) with ESMTP id B87A88FC0A for ; Sun, 18 Jan 2009 11:04:55 +0000 (UTC) (envelope-from john@roof1.dnepro.net) Received: from roof1.dnepro.net (localhost [127.0.0.1]) by roof1.dnepro.net (8.14.3/8.14.3) with ESMTP id n0IB4rhC093244 for ; Sun, 18 Jan 2009 13:04:53 +0200 (EET) (envelope-from john@roof1.dnepro.net) Received: (from john@localhost) by roof1.dnepro.net (8.14.3/8.14.3/Submit) id n0IB4rsI093243 for freebsd-net@freebsd.org; Sun, 18 Jan 2009 13:04:53 +0200 (EET) (envelope-from john) Date: Sun, 18 Jan 2009 13:04:53 +0200 From: Eugene Perevyazko To: freebsd-net@freebsd.org Message-ID: <20090118110453.GA88606@roof1.dnepro.net> Mail-Followup-To: freebsd-net@freebsd.org References: <20090116115026.GA98057@roof1.dnepro.net> <06EC1210-8D3E-4F47-A1DE-F0AE038929D9@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <06EC1210-8D3E-4F47-A1DE-F0AE038929D9@mac.com> User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: ClamAV version 0.94, clamav-milter version 0.94 on roof1.dnepro.net X-Virus-Status: Clean Subject: Re: TARPIT for pf/ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2009 11:04:57 -0000 On Fri, Jan 16, 2009 at 01:21:15PM -0800, Chuck Swiger wrote: > On Jan 16, 2009, at 3:50 AM, Eugene Perevyazko wrote: > >On Fri, Jan 16, 2009 at 12:20:21PM +0300, Alexey Ivanov wrote: > >>Is there any command identical to: > >> iptables -A INPUT -p tcp -m tcp -dport 80 -j TARPIT > >> > >>If no, does anyone ever tried to implement this feature? > > > >I'm thinking on implementing it in ipfw but it'll be a week or two > >later, > >when I will have some free time. > > Note that net/honeyd and security/labrea offer somewhat similar > functionality. > The main aim for tarpit in firewall is IMHO to lock out "crime in progress". For example to slow down somebody brutforcing your ftp/pop/ssh/whatever. Script kiddies are hammering to well-known services almost constantly and denying nor resetting is effective to slow them down. I often see in logs that after host starts to reset connection from one IP bruteforcing continues from another IP just from the same place in wordlist. And if I'll use something like "fwd localhost,labreaport tcp from badip to me" I'm not sure it will succeed with already established connection. Eugene Perevyazko