1Author: "Aaron Hopkins" <lists@die.net> 2Status: Works for me 3 4 5Adds a TARPIT target to iptables, which captures and holds incoming TCP 6connections using no local per-connection resources. Connections are 7accepted, but immediately switched to the persist state (0 byte window), in 8which the remote side stops sending data and asks to continue every 60-240 9seconds. Attempts to close the connection are ignored, forcing the remote 10side to time out the connection in 12-24 minutes. 11 12This offers similar functionality to LaBrea 13<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated hardware 14or IPs. Any TCP port that you would normally DROP or REJECT can instead 15become a tarpit. 16 17To tarpit connections to TCP port 80 destined for the current machine: 18 19 iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT 20 21To significantly slow down Code Red/Nimda-style scans of unused address 22space, forward unused ip addresses to a Linux box not acting as a router 23(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP 24forwarding on the Linux box, and add: 25 26 iptables -A FORWARD -p tcp -j TARPIT 27 iptables -A FORWARD -j DROP 28 29You probably don't want the conntrack module loaded while you are using 30TARPIT, or you will be using resources per connection. 31 32