tar pit?

[Matt Kettler]

At 04:50 PM 12/13/2004, dave wrote:
>Hello,
>     I was wondering if you had a howto on setting up a tar pit? I'm using
>FreeBSD 5.x machines, my primary goal for doing this is i'm getting ssh
>connections as well as many people trying to relay mail through me. I've got
>discard rules and they don't succeed, but i'd rather cut them off before
>they can sap my band width.

Actually, doing a discard of the syn packet is generally much lower
bandwidth than doing a tarpit. In a tarpit you've got to accept (or at
least pretend to accept) the connection, and keep feeding keep-alive
packets back to the person you are tarpitting. This, at the very minimum,
doubles the bandwidth required per connection.

The only case where a tarpit saves you bandwidth is if a single source is
spewing huge numbers of connections (At least 10 a second, probably much
more), then tarpitting will, eventually, bog down the source, and you'll
see fewer connections.

Really, if you're worried about syn packets sucking up your bandwidth,
you've either got thousands of connections per second, or a very small
pipe. (a syn packet is about 40-60 bytes, depending on tcp options.
Assuming 60 bytes, it would take 1,000 connections/sec to be 600,000
bits/sec, half a typical t1 or downstream 1.5mbit DSL line.)

Generaly speaking you can use pf's rdr to redirect the packets to another
port, and have that port running a tarpit app.

Another way is to use LaBrea... LaBrea is a good tarpit app, but be
careful, it's designed to tarpit whole destination IPs at a time by
default, but if you use a bpf filter, you can tell LaBrea what ports/hosts
to tarpit manually.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!