As of version 1.2.7a the netfilter firewall tool, iptables has had a built in target called TARPIT, but the first I had heard of it was the other day on Security Focus, in an article by Tony Bautts. The TARPIT target is an offshoot of the LeBrea project. The LeBrea project is the brainchild of Tom Liston, and you can read about Lebrea at HackBusters.net and at its new offical site, at Sourceforge.net. What the TARPIT target does is slow the spread of infection down, presumably so we have more time to react to outbreaks.
The idea is that when an offending scan comes in we accept the connection and then we set it up ion such a way that the attacker can’t close the connection for 12 to 24 minutes.
We know that the msblaster.exe attack was targeting port 135 to spread. So on interfaces and addresses where we don’t expect port 135 traffic we accept the traffic and hang the attacking computer up.
The iptables command would look something like:
iptables -A input -p tcp –dport 135 -j TARPIT
If you run RedHat you’ll need to pick up an updated iptables rpm over at gnumonks (www.gnumonks.org), and while you’re there, you may want to check out the matching ulogd rpm for packet logging features.
Please don’t deploy this in a production environment until you have tested it out first. This could cause some big problems for you if you accidentally misconfigure it. You’ve been warned, now have fun in the tarpits.

Comments are closed, but trackbacks and pingbacks are open.