TARPIT was present in patch-o-matic for quite a while (it still is, but doesn't work with recent kernels). Some time ago the development was stopped and support was dropped by many distros. It was present in default gentoo patchset until somewhere 2.6.20 Some time ago someone took over this work and prepared the patches which work with recent kernels. The patches are actively developed and are available to download from: http://enterprise.bidmc.harvard.edu/pub/tarpit-updates/ TARPIT is one of the most useful firewall rules and if used correctly can save you lots of time and network resources. http://www.secureworks.com/research/threats/ddos/ I'm pretty sure Gentoo kernel team won't support it in default gentoo patchset, but I hope security team will take it under consideration for hardened sources. Reproducible: Always
As noted on that site.. "Warning Although the patches provided here are believed to be correct, they have not undergone rigorous review! They may crash your kernel - or worse! Use them at your own risk!"
(In reply to comment #1) > As noted on that site.. > > "Warning > > Although the patches provided here are believed to be correct, they have not > undergone rigorous review! They may crash your kernel - or worse! > Use them at your own risk!" > Well it's pretty much the same way as: "HE PROGRAM IS DISTRIBUTED IN THE HOPE THAT IT WILL BE USEFUL, BUT WITHOUT ANY WARRANTY. IT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND... ...IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW THE AUTHOR WILL BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF THE AUTHOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES." I've been using them since they were released and they are working perfectly fine and I didn't have a single problem with them (yet?). Well since the code is distributed under GPL, I'm pretty sure there are some wise heads here, who can take a look on it and decide if that's stable and useful enough to include it in hardened sources. Thanks for looking into it!
(In reply to comment #2) > (In reply to comment #1) > I've been using them since they were released and they are working perfectly > fine and I didn't have a single problem with them (yet?). Well since the code > is distributed under GPL, I'm pretty sure there are some wise heads here, who > can take a look on it and decide if that's stable and useful enough to include > it in hardened sources. > > Thanks for looking into it! > I've looked into it and decided against including it in hardened-sources. Firstly, let me say that I believe tarpitting to be a valuable tool under the right circumstances. There is an additional older, but fine article regarding tarpitting using the TARPIT iptables patch/target here: http://www.securityfocus.com/infocus/1723 And so I do hope you will take my recommendations at the end of my post and run with them. I do not have the time/inclination to do it myself any time soon. That you qualified your experience with "(yet?)" is actually quite accurate. The TARPIT patches to the linux kernel hosted on that site have numerous issues and are most likely a stone's throw away from breaking at any time or in future kernels. On 2005-12-22, when TARPIT was still active/"working" in netfilter patch-o-matic, David S. Miller remarked about many rather important changes that needed to be made to the TARPIT module: http://lists.netfilter.org/pipermail/netfilter-devel/2005-December/022802.html Most of his recommendations were never implemented. Sometime later the TARPIT target was removed. Jan Engelhardt inquired as to why and received the following responses from, at the time, Netfilter developement lead of many years (and now chairman of the coreteam) Patrick McHardy: http://lists.netfilter.org/pipermail/netfilter-devel/2007-June/028363.html http://lists.netfilter.org/pipermail/netfilter-devel/2007-June/028366.html Shortly thereafter, on 2007-07-18 Jan Engelhardt posted an updated TARPIT patch (the same one hosted on the site you linked) for newer kernels: http://lists.netfilter.org/pipermail/netfilter-devel/2007-July/028781.html It had improvements (though perhaps not implemented entirely correctly) in a few areas. The most significant being the TARPIT target could now be used in the raw table and did not use up resources with a conntrack entry when connection tracking is in use. However, probably not seeing David S. Miller's 2005-12-22 post, most of his criticisms had not been addressed (I checked the linked patch). Patrick McHardy echoed many of these criticisms in his 2008-07-28 post (linked above - 028336), adding a few others. These were not addressed either (also checked the linked patch). So once again Patrick McHardy and many others provided helpful feedback and suggestions, witness the following exchanges (I've tried to group them in relevant order): http://lists.netfilter.org/pipermail/netfilter-devel/2007-July/028782.html http://lists.netfilter.org/pipermail/netfilter-devel/2007-July/028909.html http://lists.netfilter.org/pipermail/netfilter-devel/2007-July/028919.html -ignore bottom paragraph http://lists.netfilter.org/pipermail/netfilter-devel/2007-July/028783.html http://lists.netfilter.org/pipermail/netfilter-devel/2007-July/028784.html http://lists.netfilter.org/pipermail/netfilter-devel/2007-July/028785.html http://lists.netfilter.org/pipermail/netfilter-devel/2007-July/028786.html http://lists.netfilter.org/pipermail/netfilter-devel/2007-July/028787.html http://lists.netfilter.org/pipermail/netfilter-devel/2007-July/028919.html -ignore all but bottom paragraph http://lists.netfilter.org/pipermail/netfilter-devel/2007-July/028925.html On 2007-08-06 Jan Engelhardt came back with an updated TARPIT patch: http://lists.netfilter.org/pipermail/netfilter-devel/2007-August/029010.html With a follow-up post describing one omission: http://lists.netfilter.org/pipermail/netfilter-devel/2007-August/029011.html Unfortunately the site you linked does not host this patch and someone has been forward-porting the older/flawed patch. While it is obvious this newer patch addresses many of the shortcomings/flaws of the previous patch (I checked). I did not bother to check that all past criticisms/recommendations had been addressed in this updated patch - so there may be some left. After waiting ~week and receiving no response, Jan Engelhardt appears to have renewed a call for review asked that this updated TARPIT patch be included in future Netfilter releases (and presumably pushed into the kernel): http://lists.netfilter.org/pipermail/netfilter-devel/2007-August/029038.html To which the following patch-review question was asked: http://lists.netfilter.org/pipermail/netfilter-devel/2007-August/029044.html And to which the following response from Patrick McHardy regarding inclusion was received: http://lists.netfilter.org/pipermail/netfilter-devel/2007-August/029039.html Notice that Patrick McHardy never said "no" and in fact appeared to be interested - so long as his preconditions were met. This post is long enough... don't get me started on the iptables patches. Suffice it to say the situation is not good there either with complications involving compiling against certain kernel version headers, etc. So my suggestion to you would be to pick up where this was left off in the netfilter-devel list and see if you can't find someone who is a) interested in further improving it, and b) seeing if you can't help push it along for upstream inclusion (which would really be the best solution anyway). Closing bug, resolving UPSTREAM.
(In reply to comment #3) > (In reply to comment #2) > > (In reply to comment #1) > > I've been using them since they were released and they are working perfectly > > fine and I didn't have a single problem with them (yet?). Well since the code > > is distributed under GPL, I'm pretty sure there are some wise heads here, who > > can take a look on it and decide if that's stable and useful enough to include > > it in hardened sources. > > > > Thanks for looking into it! > > > > I've looked into it and decided against including it in hardened-sources. Gordon, Thank you very much for looking into it. I'm sure it took quite a while of your time and I really appreciate it. Your reasons behind not including these patches in the official hardened-sources are now clear to me. Let's hope TARPIT will be included in official netfilter release one day.
