Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [patch] detection of tarpitted ports

From: Martin Mačok <martin.macok () underground cz>
Date: Tue, 4 Jan 2005 00:17:14 +0100
On Mon, Jan 03, 2005 at 08:26:23PM +0200, Alex R wrote:


What are tarpitted ports?


A tarpitted port is a port that seems to be open but there is no real
service behind it. It just performs initial TCP handshake and then
uses tricks like zero-sized TCP window or IP MSS to "freeze" down
mailicious data transfers slowing down spammers looking for open
relays, worms walking around the net or script kiddies doing network
reconnaissance.

It could also make portscan result confusing/irrelevant when many (or
simply all) non-used ports are tarpitted (f.e. last iptables firewall
rule is -j TARPIT instead of -j REJECT or DROP). In this case, many
(resp. all) ports seems to be open and the attacker would usually
reveal her real IP address when performing full TCP hanshake
afterwards (finding out what the hell is going on...)

On Mon, Jan 03, 2005 at 01:24:48PM -0600, Ron wrote:


Some firewills and software will respond using tricks like
a 0 window size to trick portscanners into waiting for a really long
time without learning anything useful.


To be precise, they are usually not slowing down portscanning (initial
TCP hanshake is same fast) but data transfers following TCP handshake
or attempts to shut down the connection, neither of both common
portscanners do (IMHO - feel free to correct me).

Theoretically, it could freeze nmap's version scan for several minutes
but fortunately, nmap uses short timeouts when doing it (5s for every
TCP probe by default) so version scan against tarpitted port is same
fast as against an open port that does not return any data to all
common TCP service probes (tooks a little longer than just one minute
in total). With this patch, nmap does not bother to do version scan
against tarpitted ports at all (so it is faster).

For more, browse through
http://www.hackbusters.net/LaBrea/
http://labrea.sourceforge.net/labrea-info.html
or look at netfilter/ipt_TARPIT.c

Martin Mačok
IT Security Consultant

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org
Previous By Date Next
Previous By Thread Next

Current thread: