Honeypots mailing list archives
IPTables::IPv4::DBTarpit
From: "Michael" <michael () insulin-pumpers org>
Date: Thu, 29 Jan 2004 15:42:52 -0800
IPTables::IPv4::DBTarpit module from CPAN This module contains a collection of tools to manipulate the "tarpit" BerkeleyDB database and a tarpit daemon written entirely in "C". "dbtarpit" is a C daemon that uses libipq (the Linux iptables userspace packet queuing library) to examine packets that match a filter criteria and tarpit those connections whose IP addresses are found in its database. Currently it is only supported on Linux with iptables, however the database library and Tools will build and install on any os that supports Perl. The "dbtarpit" database is implemented using the Berkeley DB database found in all Linux distributions. "dbtarpit" is configured for concurrent use of the database, allowing similtaneous access and update of the database by other applications. "dbtarpit" checks the packet IP address against its tarpit database for a match. If a match is found the tarpit database is updated with the most recent connection attempt time, the packet is dropped, and the connection tarpitted. Optionally, packet IP addresses that are not found in the tarpit database are logged in the archive database with the most recent connect time for later examination by other applications. When used to defend against denial of service attacks, the tarpit is highly effective because it eliminates the traffic from the attacking site by stopping the transmission of data packets at the remote IP stack. To refuse access or defend against denial of service attacks for protocols other than TCP/IP, DBTarpit can optionally be configured to drop packets for any connection found in the tarpit database. An example of a complex application built around IPTables::IPv4::DBTarpit is the Mail::SpamCannibal module. SpamCannibal has numerous additional tools and scripts to integrate information from DNSBL's and local spam filters into a comprehensive defense against spam while at the same time causing a performance hit for the sending SMTP server. The SpamCannibal distribution includes a complete DNSBL written 'C' that uses the BerkeleyDB database for it's storage. More information on both modules is available on the CPAN web site and at http://www.spamcannibal.org Michael Michael () Insulin-Pumpers org
Current thread:
- IPTables::IPv4::DBTarpit Michael (Jan 30)