[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IIS worms and apache

Robert Waldner wrote:
On Tue, 10 Aug 2004 20:50:13 +1000, Russell Coker writes:

Maybe the thing to do would be to write a server that establishes the HTTP protocol and then sets the TCP window size to zero (to tar-pit connections). Such a server program could listen on every IP address that's not used for a real web server and tie up resources on the zombie machines without wasting space in log files.

Why limit yourself to HTTP?

a "sticky" honeypot and IDS

LaBrea takes over unused IP addresses, and creates virtual servers that
 are attractive to worms, hackers, and other denizens of the Internet.
 The program answers connection attempts in such a way that the machine
at the other end gets "stuck", sometimes for a very long time. -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

If you are not using connection tracking in netfilter, you could use the TARPIT target as in:

iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT

You could combine it with match by string if you want to be more selective about the kind of http traffic to tarpit (not effective against an attack designed to bypass an IDS, but more than enough for a worm). The TARPIT target in netfilter is not recommended in combination with conntrack, since you will be wasting resources in your box...

The TARPIT target is standard in the iptables package of an unstable Debian (at least from Version: 1.2.11-2).

More information in:


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: