Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

IPTables::IPv4::DBTarpit

From: "Michael" <michael () insulin-pumpers org>
Date: Thu, 29 Jan 2004 15:42:52 -0800
IPTables::IPv4::DBTarpit module from CPAN

This module contains a collection of tools to manipulate
the "tarpit" BerkeleyDB database and a tarpit daemon
written entirely in "C".

"dbtarpit" is a C daemon that uses libipq (the Linux iptables 
userspace packet queuing library) to examine packets that match a 
filter criteria and tarpit those connections whose IP addresses are 
found in its database.

Currently it is only supported on Linux with iptables, however the 
database library and Tools will build and install on any os that 
supports Perl.

The "dbtarpit" database is implemented using the Berkeley DB database 
found in all Linux distributions. "dbtarpit"  is configured for 
concurrent use of the database, allowing similtaneous access and 
update of the database by other applications.

"dbtarpit" checks the packet IP address against its tarpit database 
for a match. If a match is found the tarpit database is updated with 
the most recent connection attempt time, the packet is dropped, and 
the connection tarpitted.  Optionally, packet IP addresses that are 
not found in the tarpit database are logged in the archive
database with the most recent connect time for later examination by 
other applications.

When used to defend against denial of service attacks, the tarpit is 
highly effective because it eliminates the traffic from the attacking 
site by stopping the transmission of data packets at the remote IP 
stack.

To refuse access or defend against denial of service attacks for 
protocols other than TCP/IP, DBTarpit can optionally be configured to 
drop packets for any connection found in the tarpit database.

An example of a complex application built around
IPTables::IPv4::DBTarpit is the Mail::SpamCannibal module.

SpamCannibal has numerous additional tools and scripts to integrate 
information from DNSBL's and local spam filters into a comprehensive 
defense against spam while at the same time causing a performance hit 
for the sending SMTP server. The SpamCannibal distribution includes a 
complete DNSBL written 'C' that uses the BerkeleyDB database for it's 
storage.

More information on both modules is available on the CPAN web site 
and at http://www.spamcannibal.org


Michael
Michael () Insulin-Pumpers org
Previous By Date Next
Previous By Thread Next

Current thread: