From 551a16d18f483d3c34b78ece42226907eab8e493 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 1 Jan 2015 09:14:00 -0800 Subject: [PATCH] Document TARPIT Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 2 +- Shorewall/manpages/shorewall-rules.xml | 70 ++++++++++++++++++++++++ Shorewall6/manpages/shorewall6-rules.xml | 70 ++++++++++++++++++++++++ 3 files changed, 141 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index e36cb54f2..1cecd812c 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2401,7 +2401,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) { }, TARPIT => sub { - require_capability 'TARPIT_TARGET', 'The TARPIT Target', 's'; + require_capability 'TARPIT_TARGET', 'TARPIT', 's'; fatal_error "TARPIT is only valid with PROTO tcp (6)" if ( resolve_proto( $proto ) || 0 ) != TCP; diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index 79145e9ba..bfb3e7464 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -652,6 +652,76 @@ + + TARPIT [(tarpit | + honeypot | reset)] + + + Added in Shorewall 4.6.6. + + TARPIT captures and holds incoming TCP connections + using no local per-connection resources. + + TARPIT only works with the PROTO column set to tcp (6), + and is totally application agnostic. This module will answer a + TCP request and play along like a listening server, but aside + from sending an ACK or RST, no data is sent. Incoming packets + are ignored and dropped. The attacker will terminate the + session eventually. This module allows the initial packets of + an attack to be captured by other software for inspection. In + most cases this is sufficient to determine the nature of the + attack. + + This offers similar functionality to LaBrea + <http://www.hackbusters.net/LaBrea/> but does not + require dedicated hardware or IPs. Any TCP port that you would + normally DROP or REJECT can instead become a tarpit. + + The target accepts a single optional parameter: + + + + tarpit + + + This mode is the default and completes a + connection with the attacker but limits the window size + to 0, thus keeping the attacker waiting long periods of + time. While he is maintaining state of the connection + and trying to continue every 60-240 seconds, we keep + none, so it is very lightweight. Attempts to close the + connection are ignored, forcing the remote side to time + out the connection in 12-24 minutes. + + + + + honeypot + + + This mode completes a connection with the + attacker, but signals a normal window size, so that the + remote side will attempt to send data, often with some + very nasty exploit attempts. We can capture these + packets for decoding and further analysis. The module + does not send any data, so if the remote expects an + application level response, the game is up. + + + + + reset + + + This mode is handy because we can send an inline + RST (reset). It has no other function. + + + + + + ULOG[(ulog-parameters)] diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index 5ee7645e0..595978651 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -628,6 +628,76 @@ url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). + + + TARPIT [(tarpit | + honeypot | reset)] + + + Added in Shorewall 4.6.6. + + TARPIT captures and holds incoming TCP connections using + no local per-connection resources. + + TARPIT only works with the PROTO column set to tcp (6), + and is totally application agnostic. This module will answer a + TCP request and play along like a listening server, but aside + from sending an ACK or RST, no data is sent. Incoming packets + are ignored and dropped. The attacker will terminate the + session eventually. This module allows the initial packets of + an attack to be captured by other software for inspection. In + most cases this is sufficient to determine the nature of the + attack. + + This offers similar functionality to LaBrea + <http://www.hackbusters.net/LaBrea/> but does not + require dedicated hardware or IPs. Any TCP port that you would + normally DROP or REJECT can instead become a tarpit. + + The target accepts a single optional parameter: + + + + tarpit + + + This mode is the default and completes a + connection with the attacker but limits the window size + to 0, thus keeping the attacker waiting long periods of + time. While he is maintaining state of the connection + and trying to continue every 60-240 seconds, we keep + none, so it is very lightweight. Attempts to close the + connection are ignored, forcing the remote side to time + out the connection in 12-24 minutes. + + + + + honeypot + + + This mode completes a connection with the + attacker, but signals a normal window size, so that the + remote side will attempt to send data, often with some + very nasty exploit attempts. We can capture these + packets for decoding and further analysis. The module + does not send any data, so if the remote expects an + application level response, the game is up. + + + + + reset + + + This mode is handy because we can send an inline + RST (reset). It has no other function. + + + + + The target may optionally be