diff options
author | Paul Duncan <pabs@pablotron.org> | 2021-10-14 12:47:50 -0400 |
---|---|---|
committer | Paul Duncan <pabs@pablotron.org> | 2021-10-14 12:47:50 -0400 |
commit | 4b6c0e31385f5f27a151088c0a2b614495c4e589 (patch) | |
tree | 12243cdcd00704bc1a9d94ac9cc128459417370c /content/posts/2004-01-12-tarpitting-in-iptables.html | |
download | pablotron.org-4b6c0e31385f5f27a151088c0a2b614495c4e589.tar.bz2 pablotron.org-4b6c0e31385f5f27a151088c0a2b614495c4e589.zip |
initial commit, including theme
Diffstat (limited to 'content/posts/2004-01-12-tarpitting-in-iptables.html')
-rw-r--r-- | content/posts/2004-01-12-tarpitting-in-iptables.html | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/content/posts/2004-01-12-tarpitting-in-iptables.html b/content/posts/2004-01-12-tarpitting-in-iptables.html new file mode 100644 index 0000000..5210868 --- /dev/null +++ b/content/posts/2004-01-12-tarpitting-in-iptables.html @@ -0,0 +1,33 @@ +--- +date: "2004-01-12T00:10:53Z" +title: tarpitting in iptables +--- + +<p> +The incredible <a +href='http://www.propylon.com/news/ctoarticles/lurking_030415.html'>lurking</a> +Pablo strikes again! I saw this bit on <acronym +title='Internet Relay Chat'>IRC</acronym> an hour ago: +</p> + +<pre> +23:09 <ljlane> wow, read some really evil tarpitting stuff +23:10 <radsaq> really? +23:11 <ljlane> yeah, <a href='http://www.securityfocus.com/infocus/1723'>http://www.securityfocus.com/infocus/1723</a> +23:11 <ljlane> tarpit just before your drop rule. tarpit all ports, tarpit + unused nets, etc +</pre> + +<p> +Interesting stuff. That said, I still prefer <a +href='http://www.snowman.net/'>Stephen's (Snow-Man)</a> more draconian +approach; hitting an invalid port tosses you in an <a +href='http://snowman.net/projects/ipt_recent/'><code>ipt_recent</code></a> +list, which drops <em>all</em> of your traffic for a few minutes. The +tarpitting approach, while effective at slowing down and confusing a +probe, still leaves you vulnerable. The <a +href='http://snowman.net/projects/ipt_recent/'><code>ipt_recent</code></a> +approach kills automated port scans almost completely, without using as +many resources on the firewall. +</p> + |