8Signs Firewall Releases Tarpit-Strikes Back at Hackers

Discussion in 'other firewalls' started by musicman, Nov 22, 2003.

Thread Status:
Not open for further replies.
  1. musicman

    musicman Registered Member

    Joined:
    Aug 24, 2003
    Posts:
    199
    To alll are members 8Signs Firewall developer James Grant has just releaded a new feature on *Signs Firewall called "Tarpit" this new feature is not on any other firewall at the present. You will be able to lock up a attackers scanner when he attempts to scan your pc for a extensive amount of time, forcing the attacker to disconnect. Here is infor on Tarpit from the developer.
    -------------------------------------------------------------------------
    Tarpits - A "tarpit" is a trap for troublesome outsiders. Your system accepts connections but never replies and ignores disconnect requests. This can leave spammers, worms and port scanners stuck for hours, even days. Now, entries in the Ban List can be set to be tarpits. Also, block rules can become tarpits:
    - when "Ban" and "Tarpit" are chosen, the rule creates a tarpit for all IPs that try to connect and match this rule. It tarpits all ports for these IPs
    - when "Tarpit" is chosen but not "Ban", the rule creates a tarpit only for matching connections. It tarpits all IPs for just the selected port range
    ---------------------------------------------------------------------
    The tarpit works on TCP connections.
    When an attacker tries to connect to a port (e.g. 139 for NetBIOS, 80 for a web server, etc.),
    the tarpit accepts the connection (sends a SYN|ACK packet). Every time the attacker
    sends data, the tarpit sends the correct acknowledgement, so the other side thinks
    you're still connected, but the tarpit never sends any data. Protocols like SMTP for email
    and FTP always start with the server sending a welcome message. An attacker's automated
    tool would just sit and wait for this, for hours or days until the person saw it was stuck.
    Some automated tools time out after a minute and disconnect. That's what I'm
    seeing from my plain old ISP account. When the attacker tries to disconnect,
    the disconnect request is ignored, forcing him to resend the request until the
    TCP protocol finally gives up (usually half a minute). All this time is time that
    he is not probing you on other ports and/or not probing somebody else, so it
    is an easy win against hackers. Also, in the 8Signs Firewall, no memory is
    allocated on a per-attacker basis for the tarpit, so it will never use up more memory
    no matter how many hackers get stuck. Memory is reserved for up to 256
    victims. This means the display is pretty complete for small numbers of victims,
    but if you have 1000 connections stuck, the display will show only the latest
    256 at a time. This is alright, because you don't need the tarpit display for
    a complete chart, just a sense of the level of activity
    http://www.8signs.com/firewall/download.cfm
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi musicman

    Correct me if I am wrong, but I believe the "tarpit" feature is only available in pre-release/beta versions at this time and has not been included in an official release yet.

    Pre-release and beta versions of 8Signs can be found here.
    "Downloads on this page are pre-release and are not recommended for use on production systems. We make them available so people can test and comment on new features in development and for beta testing. You are welcome to test them and we ask you to let us know your results. Please email all comments, suggestions, and bug reports to beta @ 8signs.com"

    Regards,

    CrazyM
     
  3. musicman

    musicman Registered Member

    Joined:
    Aug 24, 2003
    Posts:
    199
    Crazy M you are 100% correct this is in beta however the developer asked me to release this info as this will be out of beta shortty. I have been running this on my pc with no problem now, and he wanted to let everyone know its availlable. Thanks for your help :D
     
Loading...
Thread Status:
Not open for further replies.