Robert Waldner wrote:
On Tue, 10 Aug 2004 20:50:13 +1000, Russell Coker writes:Maybe the thing to do would be to write a server that establishes the HTTP protocol and then sets the TCP window size to zero (to tar-pit connections). Such a server program could listen on every IP address that's not used for a real web server and tie up resources on the zombie machines without wasting space in log files.Why limit yourself to HTTP? http://packages.debian.org/testing/net/labrea .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. a "sticky" honeypot and IDS LaBrea takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet. The program answers connection attempts in such a way that the machineat the other end gets "stuck", sometimes for a very long time. -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
If you are not using connection tracking in netfilter, you could use the TARPIT target as in:
iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPITYou could combine it with match by string if you want to be more selective about the kind of http traffic to tarpit (not effective against an attack designed to bypass an IDS, but more than enough for a worm). The TARPIT target in netfilter is not recommended in combination with conntrack, since you will be wasting resources in your box...
The TARPIT target is standard in the iptables package of an unstable Debian (at least from Version: 1.2.11-2).
More information in: http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-TARPIT http://www.spinics.net/lists/netfilter/msg17583.html
Description: OpenPGP digital signature