TARPIT for pf/ipfw
Eugene Perevyazko
john at dnepro.net
Sun Jan 18 03:04:57 PST 2009
On Fri, Jan 16, 2009 at 01:21:15PM -0800, Chuck Swiger wrote:
> On Jan 16, 2009, at 3:50 AM, Eugene Perevyazko wrote:
> >On Fri, Jan 16, 2009 at 12:20:21PM +0300, Alexey Ivanov wrote:
> >>Is there any command identical to:
> >> iptables -A INPUT -p tcp -m tcp -dport 80 -j TARPIT
> >>
> >>If no, does anyone ever tried to implement this feature?
> >
> >I'm thinking on implementing it in ipfw but it'll be a week or two
> >later,
> >when I will have some free time.
>
> Note that net/honeyd and security/labrea offer somewhat similar
> functionality.
>
The main aim for tarpit in firewall is IMHO to lock out "crime in progress".
For example to slow down somebody brutforcing your ftp/pop/ssh/whatever.
Script kiddies are hammering to well-known services almost constantly and
denying nor resetting is effective to slow them down. I often see in logs
that after host starts to reset connection from one IP bruteforcing continues
from another IP just from the same place in wordlist.
And if I'll use something like "fwd localhost,labreaport tcp from badip to me"
I'm not sure it will succeed with already established connection.
Eugene Perevyazko
More information about the freebsd-net
mailing list