Here's a minimalist patch-in-patch against the Linux iptables 1.2.6a
to add a "--reject-with tcp-synack" option to the REJECT
extension. TCP SYN packets are replied to with a valid SYN-ACK, all others
are dropped.
This will leave incoming connections in the ESTABLISHED state on the
remote side, significantly slowing down Code Red or Nimda-style scans
of the entire IP space, but requiring no local per-connection resources.
This offers the same functionality as LaBrea - The Tarpit
but doesn't require dedicated
hardware or IPs. Any TCP port that you would normally DROP or
REJECT can instead become a tarpit:
Example:
iptables -A INPUT -p tcp -m tcp --dport 80 -j REJECT --reject-with tcp-synack
To install this, download iptables-1.2.6a.tar.bz2
from http://netfilter.samba.org/downloads.html#1.2.6a and extract it with:
bzcat iptables-1.2.6a.tar.bz2 | tar -xvf -
Then do one of the following:
- Download iptables-1.2.6a-tcp-synack.patch from here and run:
cd iptables-1.2.6a
patch -p1 < ..iptables-1.2.6a-tcp-synack.patch
or
- Download extension-iptables-1.2.6a-tcp-synack.tar.gz from here and run:
cd iptables-1.2.6a
zcat extension-iptables-1.2.6a-tcp-synack.tar.gz | tar -xvf -
Then follow the documentation in INSTALL and
enable ipt_REJECT-tcp-synack.patch. The iptables patching process
both changes Linux kernel 2.4.18 and the "iptables" binaries. You will
need to install new versions of both.
This patch was rejected by the netfilter developers as being too
"antisocial", so don't expect it to show up in the default distributions
of anything. See:
http://lists.samba.org/pipermail/netfilter-devel/2002-March/003924.html
-- Aaron