[Dshield] picnicking under flypaper (or near tar) (fwd)
cbyrum at erp.com
Thu Mar 14 18:13:07 GMT 2002
On Wed, 2002-03-13 at 21:55, Bob Hillegas wrote:
> On second thought (can't wait for the third one :-)), how about
> integrating it with iptables and use LABREA as an additional target? This
> would make DROP look tame!!
This could be done, I think, through the ULOG target.
This target provides userspace logging of matching packets. When
this target is set for a rule, the Linux kernel will
multicast this packet through a netlink socket. One or more
userspace processes may then subscribe to various multicast
groups and receive the packets.
So.. an iptables aware LaBrea would just subscribe to that multicast
group, parse out the logs, and start the tarpit process as if it had
received the packet originally. The ACK's would also need to be sent
through ULOG so LaBrea would know that its persistant tarpit was still
The other option is to write a new module that would create a LABREA
target ... but this seems like it would mean a lot more detailed work,
and require a tighter integration with LaBrea.
For now though, I think I'd rather just have LaBrea on a box on the DMZ,
and send all unknown TCP packets to an unused IP on the DMZ ... has
worked for me so far. >:)
More information about the list