1 files changed, 33 insertions, 0 deletions

diff --git a/content/posts/2004-01-12-tarpitting-in-iptables.html b/content/posts/2004-01-12-tarpitting-in-iptables.html
new file mode 100644
index 0000000..5210868
--- /dev/null
+++ b/content/posts/2004-01-12-tarpitting-in-iptables.html
@@ -0,0 +1,33 @@
+---
+date: "2004-01-12T00:10:53Z"
+title: tarpitting in iptables
+---
+
+<p>
+The incredible <a
+href='http://www.propylon.com/news/ctoarticles/lurking_030415.html'>lurking</a>
+Pablo strikes again! I saw this bit on <acronym
+title='Internet Relay Chat'>IRC</acronym> an hour ago:
+</p>
+
+<pre>
+23:09 &lt;ljlane&gt; wow, read some really evil tarpitting stuff
+23:10 &lt;radsaq&gt; really?
+23:11 &lt;ljlane&gt; yeah, <a href='http://www.securityfocus.com/infocus/1723'>http://www.securityfocus.com/infocus/1723</a>
+23:11 &lt;ljlane&gt; tarpit just before your drop rule. tarpit all ports, tarpit 
+               unused nets, etc
+</pre>
+
+<p>
+Interesting stuff.  That said, I still prefer <a
+href='http://www.snowman.net/'>Stephen's (Snow-Man)</a> more draconian
+approach; hitting an invalid port tosses you in an <a
+href='http://snowman.net/projects/ipt_recent/'><code>ipt_recent</code></a>
+list, which drops <em>all</em> of your traffic for a few minutes.  The
+tarpitting approach, while effective at slowing down and confusing a
+probe, still leaves you vulnerable.  The <a
+href='http://snowman.net/projects/ipt_recent/'><code>ipt_recent</code></a>
+approach kills automated port scans almost completely, without using as
+many resources on the firewall.
+</p>
+