Honeypots mailing list archives
RE: Honeypot/net IDS System
From: "Michael" <michael () insulin-pumpers org>
Date: Fri, 27 Feb 2004 11:47:33 -0800
The tarpit in question is not an smtp dummy, but a true TCP/IP tarpit that slams the transmission window shut and hangs on to the server until it gives up or times out., this is sometime days.... and... it is a single thread for all trapped messages.this a very cool idea... guys any one have good pointers about how to do this with postfix ?
This is MTA independent. The tarpit runs at the kernel level and is integrated into the firewall code. It will run with any MTA or even with an MTA that is on another host behind the firewall. Basically all you are doing is screening traffic that is incoming on port 25. The message is not received until after the transmitting host has presented it IP address in the first TCP/IP packet that carries the SYN flag. It it's a bad guy, he's told to proceed but with a very small transmission window. If he responds, the window is set to zero and he's told to continue :-) very effective. The only downside at the moment is that since it uses IPTABLES, it only can be deployed on Linux at the moment --- that is a lot of hosts fortunately. Michael Michael () Insulin-Pumpers org
Current thread:
- Re: Honeypot/net IDS System, (continued)
- Re: Honeypot/net IDS System Michael Robinton (Feb 22)
- Re: Honeypot/net IDS System captgoodnight (Feb 22)
- RE: Honeypot/net IDS System Aditya, ALD [Aditya Lalit Deshmukh] (Feb 24)
- RE: Honeypot/net IDS System Michael (Feb 24)
- RE: Honeypot/net IDS System ravivsn (Feb 24)
- RE: Honeypot/net IDS System Michael (Feb 25)
- Re: Honeypot/net IDS System Valdis . Kletnieks (Feb 25)
- Re: Honeypot/net IDS System Ian Baker (Feb 24)
- Re: Honeypot/net IDS System Michael (Feb 25)
- RE: Honeypot/net IDS System Aditya, ALD [Aditya Lalit Deshmukh] (Feb 27)
- RE: Honeypot/net IDS System Michael (Feb 27)
- Re: Honeypot/net IDS System Niels Provos (Feb 27)
- Re: Honeypot/net IDS System Michael Robinton (Feb 22)