musicman
November 22nd, 2003, 02:00 AM
To alll are members 8Signs Firewall developer James Grant has just releaded a new feature on *Signs Firewall called "Tarpit" this new feature is not on any other firewall at the present. You will be able to lock up a attackers scanner when he attempts to scan your pc for a extensive amount of time, forcing the attacker to disconnect. Here is infor on Tarpit from the developer.
-------------------------------------------------------------------------
Tarpits - A "tarpit" is a trap for troublesome outsiders. Your system accepts connections but never replies and ignores disconnect requests. This can leave spammers, worms and port scanners stuck for hours, even days. Now, entries in the Ban List can be set to be tarpits. Also, block rules can become tarpits:
- when "Ban" and "Tarpit" are chosen, the rule creates a tarpit for all IPs that try to connect and match this rule. It tarpits all ports for these IPs
- when "Tarpit" is chosen but not "Ban", the rule creates a tarpit only for matching connections. It tarpits all IPs for just the selected port range
---------------------------------------------------------------------
The tarpit works on TCP connections.
When an attacker tries to connect to a port (e.g. 139 for NetBIOS, 80 for a web server, etc.),
the tarpit accepts the connection (sends a SYN|ACK packet). Every time the attacker
sends data, the tarpit sends the correct acknowledgement, so the other side thinks
you're still connected, but the tarpit never sends any data. Protocols like SMTP for email
and FTP always start with the server sending a welcome message. An attacker's automated
tool would just sit and wait for this, for hours or days until the person saw it was stuck.
Some automated tools time out after a minute and disconnect. That's what I'm
seeing from my plain old ISP account. When the attacker tries to disconnect,
the disconnect request is ignored, forcing him to resend the request until the
TCP protocol finally gives up (usually half a minute). All this time is time that
he is not probing you on other ports and/or not probing somebody else, so it
is an easy win against hackers. Also, in the 8Signs Firewall, no memory is
allocated on a per-attacker basis for the tarpit, so it will never use up more memory
no matter how many hackers get stuck. Memory is reserved for up to 256
victims. This means the display is pretty complete for small numbers of victims,
but if you have 1000 connections stuck, the display will show only the latest
256 at a time. This is alright, because you don't need the tarpit display for
a complete chart, just a sense of the level of activity
http://www.8signs.com/firewall/download.cfm
-------------------------------------------------------------------------
Tarpits - A "tarpit" is a trap for troublesome outsiders. Your system accepts connections but never replies and ignores disconnect requests. This can leave spammers, worms and port scanners stuck for hours, even days. Now, entries in the Ban List can be set to be tarpits. Also, block rules can become tarpits:
- when "Ban" and "Tarpit" are chosen, the rule creates a tarpit for all IPs that try to connect and match this rule. It tarpits all ports for these IPs
- when "Tarpit" is chosen but not "Ban", the rule creates a tarpit only for matching connections. It tarpits all IPs for just the selected port range
---------------------------------------------------------------------
The tarpit works on TCP connections.
When an attacker tries to connect to a port (e.g. 139 for NetBIOS, 80 for a web server, etc.),
the tarpit accepts the connection (sends a SYN|ACK packet). Every time the attacker
sends data, the tarpit sends the correct acknowledgement, so the other side thinks
you're still connected, but the tarpit never sends any data. Protocols like SMTP for email
and FTP always start with the server sending a welcome message. An attacker's automated
tool would just sit and wait for this, for hours or days until the person saw it was stuck.
Some automated tools time out after a minute and disconnect. That's what I'm
seeing from my plain old ISP account. When the attacker tries to disconnect,
the disconnect request is ignored, forcing him to resend the request until the
TCP protocol finally gives up (usually half a minute). All this time is time that
he is not probing you on other ports and/or not probing somebody else, so it
is an easy win against hackers. Also, in the 8Signs Firewall, no memory is
allocated on a per-attacker basis for the tarpit, so it will never use up more memory
no matter how many hackers get stuck. Memory is reserved for up to 256
victims. This means the display is pretty complete for small numbers of victims,
but if you have 1000 connections stuck, the display will show only the latest
256 at a time. This is alright, because you don't need the tarpit display for
a complete chart, just a sense of the level of activity
http://www.8signs.com/firewall/download.cfm