tarpit before or after adding chain?

All of lore.kernel.org
 help / color / mirror / Atom feed

* tarpit before or after adding chain?
@ 2005-12-17  6:19 Eric
  2005-12-17  9:13 ` Georgi Alexandrov
  0 siblings, 1 reply; 7+ messages in thread
From: Eric @ 2005-12-17  6:19 UTC (permalink / raw)
  To: netfilter mailing list

I'm a little confused about when to add the TARPIT trap.

iptables -N SPECIAL # add special chain for tarpit usage

*HERE*?
iptables -A SPECIAL -p tcp -j TARPIT

#
# the following string match rules screen out nimda and other crap
#
iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
--string "/default.ida?"     -j SPECIAL
iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
--string ".exe?/c+dir"       -j SPECIAL
iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
--string ".exe?/c+tftp"      -j SPECIAL
iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
--string "cmd.exe"           -j SPECIAL
iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
--string "vti_bin"           -j SPECIAL
iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
--string "nsiislog.dll"      -j SPECIAL
iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
--string "click-network.com" -j SPECIAL

*OR HERE?*
iptables -A SPECIAL -p tcp -j TARPIT

Thanks
Eric


^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: tarpit before or after adding chain?
@ 2005-12-17  7:25 Gary W. Smith
  2005-12-17  9:17 ` Georgi Alexandrov
  0 siblings, 1 reply; 7+ messages in thread
From: Gary W. Smith @ 2005-12-17  7:25 UTC (permalink / raw)
  To: Eric, netfilter mailing list

It shouldn't matter.  You can add rules that jump to a chain, as long as
the chain exists, even if empty.  Then later you can add rules to that
chain.

This should also work as well.  We tarpit all data which should never
come through our firewalls.  We also disabled tracking for the same.  We
don't want the firewall wasting resources on this garbage.  Another
trick that we do is we also dedicate a high/low IP for catching things
like SQL, HTTP, VNC, RDC, etc.  This was things walking the network will
sometimes get hung, if they are not threaded.

YMMV (some of this is off the top of my head or pulled form a
iptables-save -- order is preserved, please consult man for exact
syntax)

iptables -t raw -A PREROUTING -i eth0 -p tcp -m multiport \
	--dports 135,139,445 -j NOTRACK

iptables -N filter_tarpit
iptables -A INPUT -i eth0 -j filter_tarpit
iptables -A FORWARD -i eth0 -j filter_tarpit

iptables -A filter_tarpit -p tcp -m multiport \
	--dports 135,139,445 \
	-j LOG --log-prefix "TARPIT: " --log-level 6
iptables -A filter_tarpit -p tcp -m multiport \
	--dports 135,139,445 -j TARPIT

Hope this helps, 

Gary Wayne Smith

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of Eric
> Sent: Friday, December 16, 2005 10:20 PM
> To: netfilter mailing list
> Subject: tarpit before or after adding chain?
> 
> I'm a little confused about when to add the TARPIT trap.
> 

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: tarpit before or after adding chain?
  2005-12-17  6:19 tarpit before or after adding chain? Eric
@ 2005-12-17  9:13 ` Georgi Alexandrov
  2005-12-18  6:44   ` Leonardo Rodrigues Magalhães
  2006-01-03  7:24   ` Jan Engelhardt
  0 siblings, 2 replies; 7+ messages in thread
From: Georgi Alexandrov @ 2005-12-17  9:13 UTC (permalink / raw)
  To: netfilter

Eric wrote:

> I'm a little confused about when to add the TARPIT trap.
>
> iptables -N SPECIAL # add special chain for tarpit usage
>
> *HERE*?
> iptables -A SPECIAL -p tcp -j TARPIT
>
> #
> # the following string match rules screen out nimda and other crap
> #
> iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
> --string "/default.ida?"     -j SPECIAL
> iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
> --string ".exe?/c+dir"       -j SPECIAL
> iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
> --string ".exe?/c+tftp"      -j SPECIAL
> iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
> --string "cmd.exe"           -j SPECIAL
> iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
> --string "vti_bin"           -j SPECIAL
> iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
> --string "nsiislog.dll"      -j SPECIAL
> iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
> --string "click-network.com" -j SPECIAL
>
> *OR HERE?*
> iptables -A SPECIAL -p tcp -j TARPIT
>
> Thanks
> Eric
>
>
And again ... why do you need all this, when you're running linux and 
those are no harm in any way to your system?
Or you are with those guys trying to complex their lifes every single day?


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: tarpit before or after adding chain?
  2005-12-17  7:25 Gary W. Smith
@ 2005-12-17  9:17 ` Georgi Alexandrov
  0 siblings, 0 replies; 7+ messages in thread
From: Georgi Alexandrov @ 2005-12-17  9:17 UTC (permalink / raw)
  To: netfilter

Gary W. Smith wrote:

>This should also work as well.  We tarpit all data which should never
>come through our firewalls.  We also disabled tracking for the same.  We
>don't want the firewall wasting resources on this garbage.  Another
>trick that we do is we also dedicate a high/low IP for catching things
>like SQL, HTTP, VNC, RDC, etc.  This was things walking the network will
>sometimes get hung, if they are not threaded.
>  
>
I don't think that his *one or two per day* cmd.exe automatic scans will 
get "through his firewall",
or will "waste resources".
Maybe filling your firewall with those useless rules will waste more 
resources? ;-)

*Think again* (as seen in the national geographic channel)


regards,
Georgi Alexandrov


^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: tarpit before or after adding chain?
@ 2005-12-17 17:27 Gary W. Smith
  0 siblings, 0 replies; 7+ messages in thread
From: Gary W. Smith @ 2005-12-17 17:27 UTC (permalink / raw)
  To: Georgi Alexandrov, netfilter

We have a class /21 block so it's more than a few a day for us.  So I
just do it for general purposes.  But yes, you do not have to drop
connection tracking for this.  In our case, it's a couple per second and
our connection tracking gets filled up pretty quick. 

But just because he is running Linux doesn't make this invalid.  We use
Linux boxes to slow people from hitting the windows boxes with their
afflicted boxes.  So it suddenly makes sense to do what he is doing if
he is using it in that capacity.

When these rules go off on our boxes we use it to build out temporary
filter rules as well using some scripts.   

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of Georgi Alexandrov
> Sent: Saturday, December 17, 2005 1:18 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: tarpit before or after adding chain?
> 
> Gary W. Smith wrote:
> 
> >This should also work as well.  We tarpit all data which should never
> >come through our firewalls.  We also disabled tracking for the same.
We
> >don't want the firewall wasting resources on this garbage.  Another
> >trick that we do is we also dedicate a high/low IP for catching
things
> >like SQL, HTTP, VNC, RDC, etc.  This was things walking the network
will
> >sometimes get hung, if they are not threaded.
> >
> >
> I don't think that his *one or two per day* cmd.exe automatic scans
will
> get "through his firewall",
> or will "waste resources".
> Maybe filling your firewall with those useless rules will waste more
> resources? ;-)
> 
> *Think again* (as seen in the national geographic channel)
> 
> 
> regards,
> Georgi Alexandrov

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: tarpit before or after adding chain?
  2005-12-17  9:13 ` Georgi Alexandrov
@ 2005-12-18  6:44   ` Leonardo Rodrigues Magalhães
  2006-01-03  7:24   ` Jan Engelhardt
  1 sibling, 0 replies; 7+ messages in thread
From: Leonardo Rodrigues Magalhães @ 2005-12-18  6:44 UTC (permalink / raw)
  To: netfilter



>> I'm a little confused about when to add the TARPIT trap.
>>
>> iptables -N SPECIAL # add special chain for tarpit usage
>>
>> *HERE*?
>> iptables -A SPECIAL -p tcp -j TARPIT
>>
>> #
>> # the following string match rules screen out nimda and other crap
>> #
>> iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
>> --string "/default.ida?"     -j SPECIAL
>> iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
>> --string ".exe?/c+dir"       -j SPECIAL
>> iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
>> --string ".exe?/c+tftp"      -j SPECIAL
>> iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
>> --string "cmd.exe"           -j SPECIAL
>> iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
>> --string "vti_bin"           -j SPECIAL
>> iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
>> --string "nsiislog.dll"      -j SPECIAL
>> iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
>> --string "click-network.com" -j SPECIAL
>>
>> *OR HERE?*
>> iptables -A SPECIAL -p tcp -j TARPIT
>>


   Im looking at all these string rules and trying to imagine how your 
CPU usage will get high, as it seems you have a not-very-low traffic 
network ......  nobody with a /21 network will have low traffic, 
specially tcp/80 traffic !!!!

   I havent used string for a while now. In fact i have never used it 
since I moved to 2.6 kernel. I know it has been ported recently, but I 
have never used it yet. But I remember ... it's not that long ago ...... 
the 2.4 kernel time ....... all the headaches of CPU usage getting at 
astronomic levels because of 20-30 string rules on a busy network ..... 
i will never forget that ... :)

   Take it easy with string module, that's my advice ....

-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, N√ÉO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it






^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: tarpit before or after adding chain?
  2005-12-17  9:13 ` Georgi Alexandrov
  2005-12-18  6:44   ` Leonardo Rodrigues Magalhães
@ 2006-01-03  7:24   ` Jan Engelhardt
  1 sibling, 0 replies; 7+ messages in thread
From: Jan Engelhardt @ 2006-01-03  7:24 UTC (permalink / raw)
  To: Georgi Alexandrov; +Cc: netfilter

>> iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm --string
>> "/default.ida?"     -j SPECIAL
> And again ... why do you need all this, when you're running linux and those are
> no harm in any way to your system?
> Or you are with those guys trying to complex their lifes every single day?

Yes, that's what TARPIT was invented for.


Jan Engelhardt
-- 


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2006-01-03  7:24 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-12-17  6:19 tarpit before or after adding chain? Eric
2005-12-17  9:13 ` Georgi Alexandrov
2005-12-18  6:44   ` Leonardo Rodrigues Magalhães
2006-01-03  7:24   ` Jan Engelhardt
  -- strict thread matches above, loose matches on Subject: below --
2005-12-17  7:25 Gary W. Smith
2005-12-17  9:17 ` Georgi Alexandrov
2005-12-17 17:27 Gary W. Smith

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.