[Dshield] picnicking under flypaper (or near tar) (fwd)

Clint Byrum cbyrum at erp.com
Thu Mar 14 18:13:07 GMT 2002

On Wed, 2002-03-13 at 21:55, Bob Hillegas wrote:
> On second thought (can't wait for the third one :-)), how about 
> integrating it with iptables and use LABREA as an additional target? This 
> would make DROP look tame!!

This could be done, I think, through the ULOG target.

       This target provides userspace logging of matching packets.  When
this target is set for a rule, the  Linux  kernel  will
       multicast  this  packet through a netlink socket. One or more
userspace processes may then subscribe to various multicast
       groups and receive the packets.

So.. an iptables aware LaBrea would just subscribe to that multicast
group, parse out the logs, and start the tarpit process as if it had
received the packet originally. The ACK's would also need to be sent
through ULOG so LaBrea would know that its persistant tarpit was still

The other option is to write a new module that would create a LABREA
target ... but this seems like it would mean a lot more detailed work,
and require a tighter integration with LaBrea.

For now though, I think I'd rather just have LaBrea on a box on the DMZ,
and send all unknown TCP packets to an unused IP on the DMZ ... has
worked for me so far. >:)


Clint Byrum

More information about the list mailing list