Date: Sun, 18 Jan 2009 13:04:53 +0200 From: Eugene Perevyazko <john@dnepro.net> To: freebsd-net@freebsd.org Subject: Re: TARPIT for pf/ipfw Message-ID: <20090118110453.GA88606@roof1.dnepro.net> In-Reply-To: <06EC1210-8D3E-4F47-A1DE-F0AE038929D9@mac.com> References: <E1LNksH-000M7S-00.need4spam-bk-ru@f253.mail.ru> <20090116115026.GA98057@roof1.dnepro.net> <06EC1210-8D3E-4F47-A1DE-F0AE038929D9@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 16, 2009 at 01:21:15PM -0800, Chuck Swiger wrote: > On Jan 16, 2009, at 3:50 AM, Eugene Perevyazko wrote: > >On Fri, Jan 16, 2009 at 12:20:21PM +0300, Alexey Ivanov wrote: > >>Is there any command identical to: > >> iptables -A INPUT -p tcp -m tcp -dport 80 -j TARPIT > >> > >>If no, does anyone ever tried to implement this feature? > > > >I'm thinking on implementing it in ipfw but it'll be a week or two > >later, > >when I will have some free time. > > Note that net/honeyd and security/labrea offer somewhat similar > functionality. > The main aim for tarpit in firewall is IMHO to lock out "crime in progress". For example to slow down somebody brutforcing your ftp/pop/ssh/whatever. Script kiddies are hammering to well-known services almost constantly and denying nor resetting is effective to slow them down. I often see in logs that after host starts to reset connection from one IP bruteforcing continues from another IP just from the same place in wordlist. And if I'll use something like "fwd localhost,labreaport tcp from badip to me" I'm not sure it will succeed with already established connection. Eugene Perevyazko
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090118110453.GA88606>