* Re: General denial question (tarpitting)
[not found] <Pine.LNX.4.44.0403251546510.29753-100000@e-smith.charlieb.ott.istop.com>
@ 2004-03-25 21:22 ` David Nicol
2004-03-26 4:40 ` Daniel Chemko
0 siblings, 1 reply; 4+ messages in thread
From: David Nicol @ 2004-03-25 21:22 UTC (permalink / raw)
To: Charlie Brady, qpsmtpd ML, netfilter
Charlie Braddy wrote, on the qpsmtpd list, which is about
a perl drop-in replacement for qmail-smtpd:
> If you are going to undertake the noble task of sucking up their
> bandwidth, then I'd suggest that you do the job thoroughly, and make sure
> that their TCP stack decides to retransmit as many packets as possible.
> Use iptables (for instance) to selectively/randomly drop packets.
That's brilliant! does iptables have a TARPIT target that causes
the peer to retransmit as much as possible? Can we add one?
CC to netfilter@lists.netfilter.org, the iptables discussion list.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: General denial question (tarpitting)
2004-03-25 21:22 ` General denial question (tarpitting) David Nicol
@ 2004-03-26 4:40 ` Daniel Chemko
2004-03-28 22:59 ` Alex Satrapa
0 siblings, 1 reply; 4+ messages in thread
From: Daniel Chemko @ 2004-03-26 4:40 UTC (permalink / raw)
To: David Nicol; +Cc: Charlie Brady, qpsmtpd ML, netfilter
Check out the Patch-o-matic enhancements to netfilter.
TARPIT? Check.
David Nicol wrote:
>
>
> Charlie Braddy wrote, on the qpsmtpd list, which is about
> a perl drop-in replacement for qmail-smtpd:
>
>> If you are going to undertake the noble task of sucking up their
>> bandwidth, then I'd suggest that you do the job thoroughly, and make
>> sure that their TCP stack decides to retransmit as many packets as
>> possible. Use iptables (for instance) to selectively/randomly drop
>> packets.
>
>
> That's brilliant! does iptables have a TARPIT target that causes
> the peer to retransmit as much as possible? Can we add one?
>
> CC to netfilter@lists.netfilter.org, the iptables discussion list.
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: General denial question (tarpitting)
@ 2004-03-26 17:05 Steve Jones
0 siblings, 0 replies; 4+ messages in thread
From: Steve Jones @ 2004-03-26 17:05 UTC (permalink / raw)
To: netfilter
Anyone got TARPIT working on Kernel 2.6.x? POM says it's only for 2.4.x
Kernels (and I can't seem to get it working on my stock RH9 machine)
I'd be grateful for any info on this!
Thanks!
-Steve
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Daniel Chemko
Sent: Thursday, March 25, 2004 11:41 PM
To: David Nicol
Cc: Charlie Brady; qpsmtpd ML; netfilter@lists.netfilter.org
Subject: Re: General denial question (tarpitting)
Check out the Patch-o-matic enhancements to netfilter.
TARPIT? Check.
David Nicol wrote:
>
>
> Charlie Braddy wrote, on the qpsmtpd list, which is about
> a perl drop-in replacement for qmail-smtpd:
>
>> If you are going to undertake the noble task of sucking up their
>> bandwidth, then I'd suggest that you do the job thoroughly, and make
>> sure that their TCP stack decides to retransmit as many packets as
>> possible. Use iptables (for instance) to selectively/randomly drop
>> packets.
>
>
> That's brilliant! does iptables have a TARPIT target that causes
> the peer to retransmit as much as possible? Can we add one?
>
> CC to netfilter@lists.netfilter.org, the iptables discussion list.
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: General denial question (tarpitting)
2004-03-26 4:40 ` Daniel Chemko
@ 2004-03-28 22:59 ` Alex Satrapa
0 siblings, 0 replies; 4+ messages in thread
From: Alex Satrapa @ 2004-03-28 22:59 UTC (permalink / raw)
To: netfilter
Daniel Chemko wrote:
> Check out the Patch-o-matic enhancements to netfilter.
> TARPIT? Check.
>> Charlie Braddy wrote, on the qpsmtpd list, which is about
>> a perl drop-in replacement for qmail-smtpd:
>>
>>> If you are going to undertake the noble task of sucking up their
>>> bandwidth, then I'd suggest that you do the job thoroughly, and make
>>> sure that their TCP stack decides to retransmit as many packets as
>>> possible. Use iptables (for instance) to selectively/randomly drop
>>> packets.
Note that any kind of packet loss as high as 5% will cause the TCP stream to wither and die. I'm not sure of the exact numbers, but if 1 in 20 packets goes missing, you'll find the TCP flow-control ends up backing off more than it regains through the slow-start mechanism. Remember, TCP treats packet loss as a symptom of congestion. The protocol cannot handle sustained packet loss for any other reason.
TARPIT simply causes the transmission to cease by setting the window size to 0. TARPIT achieves DoS only if enough "targetted" sites use the TARPIT option, thus depriving the originator or system resources (required for tracking the connection). TARPIT keeps the connection alive (ACK packets flow freely), but prevents the resources being released, since the data isn't flowing.
Neither packet loss nor TARPIT will result in a demand-side bandwidth DoS.
If you want to achieve DoS by continual retransmission, you'll have to keep sending back ACKs for one particular sequence number, claiming a very large window.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-03-28 22:59 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <Pine.LNX.4.44.0403251546510.29753-100000@e-smith.charlieb.ott.istop.com>
2004-03-25 21:22 ` General denial question (tarpitting) David Nicol
2004-03-26 4:40 ` Daniel Chemko
2004-03-28 22:59 ` Alex Satrapa
2004-03-26 17:05 Steve Jones
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox