Home page logo

nanog logo nanog mailing list archives

Re: The impending DDoS storm
From: Aaron Hopkins <lists () die net>
Date: Wed, 13 Aug 2003 13:46:38 -0700 (PDT)

has anyone tried tarpitting eg labrea to slow the worm?

I have been using my Linux kernel module ipt_TARPIT (included in the latest
netfilter.org patch-o-matic release) to do this for any IPs on my network
lacking a route, including outbound from my customers and inbound to my
unused address space.

While it is trying to scan routeless IPs, the tarpit slows it down to
scanning 20 IPs per ~9 minutes.  (MSBlast has 20 connection slots, each
apparently timing out after ~9 minutes.)  It normally appears to have a
several second connect timeout, so this slows it down by two orders of
magnitude with a similar drop in network traffic.

                                    -- Aaron

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]