Firewalling with acceptance

What is iptables TARPIT target?

* Goal:
* - Allow incoming TCP connections to be established.
* - Passing data should result in the connection being switched to the 
*   persist state (0 byte window), in which the remote side stops sending 
*   data and asks to continue every 60 seconds.
* - Attempts to shut down the connection should be ignored completely, so 
*   the remote side ends up having to time it out.
*
* This means:
* - Reply to TCP SYN,!ACK,!RST,!FIN with SYN-ACK, window 5 bytes
* - Reply to TCP SYN,ACK,!RST,!FIN with RST to prevent spoofing
* - Reply to TCP !SYN,!RST,!FIN with ACK, window 0 bytes, rate-limited

Where can I find it?

TARPIT is part of the latest netfilter patch-o-matic. http://www.netfilter.org/documentation/pomlist/pom-extra.html#ipt_TARPIT

Why using it?

Most firewalls are dropping unwanted packets to have your host invisible on Internet. But you generally have at least one public port open on a server. As you are going to be scanned anyway, why not making the task of the attacker a bit more difficult by flooding him/her with tons of false positives? Any banner discovery will fail, but the source won't just timeout on it, it will allocate ressources as the connection is accepted but will finally timeout.

Is a TARPIT antisocial?

Yes according to: http://lists.netfilter.org/pipermail/netfilter-devel/2002-March/003924.html I doesn't respect the RFCs so you should use it if you understand what it is doing.

Examples

# Slowing down DCOM worm
iptables -A INPUT -p tcp -m tcp --dport 135 -j TARPIT

# My favorite treat, having TARPIT on all ports as the last rule of iptables
iptables -A INPUT -p tcp -j TARPIT

Links

Nicolas Lidzborski (cpc at freeshell.org) on June 9th 2003, edited on August 22nd 2003