Source: Vincent Liu
It’s amazing to see how big botnets can grow up till these days, and they really have plenty of computing power to spare. So what do botnet owners do with these unused free computing power after looting all valuable information from the poor victim? They waste it on scanning on any potential possibilities no matter how minute a chance of finding an opening is.
In the days when computer resources are scarce, computer bots don’t bother port scanning addresses when ping requests doesn’t provide a response. But not anymore. They know that there are people out there who are slightly more tech-savvy and do not want to be annoyed – so today’s bots have no qualms in trying to scan every single port on a network address, even if ping does not respond.
Well, my computer security philosophy is simple: scanning the ports on my computer constitutes as aggression – if you engage in such activity, then it means I am free to retaliate in response to it.
Even so, I do not mean launching an attack on the infected computer; but I’ll make your bots waste it’s resources by making connections that leads to a dead end. On the flip side, in the process of doing that, this scheme will not waste my own resources by doing it. Typically, an activity like this is termed as ‘tarpitting’. So let’s see how we can set up a tarpit to fight these bots.
Patching the Kernel
In order to perform tarpitting, we need to rely on Linux’s firewall, iptables and the ‘tarpit’ module. But since the ‘tarpit’ module on iptables isn’t supported on default on Debian/Ubuntu anymore, the only way to enable it is to patch the kernel and recompile it. This may sound daunting to a novice user, but there really isn’t a need to; all you need is just some basic knowledge and patience to set things up.
Firstly, a patch to the kernel becomes necessary. It’s currently unofficially maintained at http://enterprise.bih.harvard.edu/pub/tarpit-updates/, and marked as being ‘unsupported’ or ‘obsolete’ by netfilter team themselves, which essentially means use at your own risk! I’m usually a risk-taker (only when it comes to computer software 😉 so it’s not a big issue. You should work out if this is right for you.
You’ll first need to download the kernel sources, and set up the corresponding environment for recompiling your kernel. A detailed step-by-step procedure is provided in the Ubuntu Wiki. I’m just going to skim through the details from the wiki, and show you the commands that is relevant for version Ubuntu Intrepid:
% apt-get install linux-kernel-devel fakeroot build-essential makedumpfile % apt-get install build-dep linux % apt-get source linux-source
Now you need to find out what version of the kernel you’re running before you can download and apply the corresponding patch. The version is shown as the directory name of the source you’ve downloaded, eg:
% ls -l /usr/src/ linux-source-2.6.27
What we are interested is the number indicated in bold. In my case, it’s 2.6.27. We need to do a few things here: firstly we want to inherit all the old configuration that came with your currently working kernel, so that the newly compiled kernel will be the same as the original. Then we can download the patch and apply it to the linux source, so that only change is the addition of the tarpit feature:
% cd /usr/src/linux-source-2.6.27 % make oldconfig % wget http://enterprise.bih.harvard.edu/pub/tarpit-updates/tarpit-2.6.27.patch % patch -p1 < tarpit-2.6.27.patch
The patch should apply cleanly, which means now you have the tarpit feature in the kernel. But that’s not enough, you need to make sure tarpit is compiled, as a module generally. To do this run:
% make menuconfig
'M' from the menu options
Networking Support -> Network packet filtering framework (Netfilter) ->Core Netfilter Configuration -> "TARPIT" target support.
This is when you need to sit back, go make yourself a cup of coffee, and be patient. On my 500Mhz Celeron box, it took about 6-8 hours of compilation time on a Saturday morning. Essentially, I just left it compiling while I went out to enjoy a bit of the sunshine – you should too, especially if you are compiling on a slow computer like me.
There really isn’t anything too exciting watching a computer churn out code, kind of like watching grass grow. 🙂
Issue the following commands to start the compiling process, and then wait:
make-kpkg clean # only needed if you want to do a "clean" build fakeroot make-kpkg --initrd --append-to-version=-tarpit kernel-image kernel-headers
If Ubuntu complains about not finding make-kpkg, then you may have to install ‘kernel-package’ (
apt-get install kernel-package). This will start off the compilation. Once you’ve completed there should be 2 Debian packages resulting from the compilation. All that’s left to do is to install them:
% ls *.deb linux-headers-220.127.116.11-tarpit_18.104.22.168-tarpit-10.00.Custom_i386.deb linux-image-22.214.171.124-tarpit_126.96.36.199-tarpit-10.00.Custom_i386.deb % dpkg -i linux-image-188.8.131.52-tarpit_184.108.40.206-tarpit-10.00.Custom_i386.deb % dpkg -i linux-headers-220.127.116.11-tarpit_18.104.22.168-tarpit-10.00.Custom_i386.deb
The installer will make modifications to the boot loader (usually GRUB these days), and adds two new entries into your boot menu. If you haven’t made any customised changes to it, usually the installation process will not require any intervention and should complete automatically.
Reboot your computer and you’re set for setting a tarpit up!
Configuring ‘iptables’ for Tarpitting
To utilise tarpit, you need to configure the rules on your firewall (iptables) to tarpit on incoming connections. There are plenty of excellent tutorials out there explaining how to use iptables to achieve what you want to do with your firewall, and it’s beyond the scope of my entry to cover it all here. I’ll just give a few simple examples on how you can use it to waste the resources of bots and spammers.
To tarpit SMTP connections (assuming that you are not running an SMTP server):
iptables -A INPUT -p tcp -m tcp --dport 25 -j TARPIT
To tarpit incoming botnet bruteforce attacks on SSH:
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --rsource iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rsource -j TARPIT
The example limits SSH attempts to 2 connections in 60 seconds. And if any connection tries to connect at a rate higher than that, then the connection is sent to the tarpit immediately. My actual configuration is even more stringent than that; given that my SSH connections are verified by keys and not by password, there is never a chance that I could have sent a wrong password and hence tarpitting myself. For an average user who accidentally connects to my server, it isn’t really too much of a problem – the connection will eventually time out.
But lets see what happens when a spambot tries to connect repeatedly. I’ll simulate this by using nc to act as a spammer. Let see what happens when I set the rule to just DROP:
# iptables -I INPUT 1 -p tcp -m tcp --dport 25 -j DROP # nc localhost 25 ^C # nc localhost 25 ^C # nc localhost 25 ^C # nc localhost 25 ^C # nc localhost 25 ^C # netstat -apn Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4227/sshd
DROP just does what it’s told; that is to drop the packet, and that’s the end of the story. The spambot will just shrug its shoulders and move on to find another spamming target. But see what happens when when we turn tarpitting on:
# iptables -D INPUT 1 # iptables -I INPUT 1 -p tcp -m tcp --dport 25 -j TARPIT # nc localhost 25 ^C # nc localhost 25 ^C # nc localhost 25 ^C # nc localhost 25 ^C # nc localhost 25 ^C # netstat -apn Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4227/sshd tcp 0 1 127.0.0.1:36183 127.0.0.1:25 FIN_WAIT1 - tcp 0 1 127.0.0.1:36185 127.0.0.1:25 FIN_WAIT1 - tcp 0 1 127.0.0.1:36184 127.0.0.1:25 FIN_WAIT1 - tcp 0 1 127.0.0.1:36181 127.0.0.1:25 FIN_WAIT1 - tcp 0 1 127.0.0.1:36182 127.0.0.1:25 FIN_WAIT1 -
As you can see, the connections are stuck in the FIN_WAIT1 state, waiting for socket time outs to occur. So tarpitting works like a reverse syn-flood attack, but in this case the ‘damage’ is self-inflicted – the more aggressive a spambot is in trying to make a connection to us, the more it gets its resources exhausted. This helps to use up the computing resources of the spam computer, and engaging it in unproductive activities, thus preventing it from spamming more targets.
What if the 90% of the world Tarpits?
Unfortunately, most spambot code writers have wisen up to these techniques, and correspondingly have adapted their system to make their socket timeouts relatively short, thereby minimising the impact of such a defensive system. However, if most of the computer systems in the world utilises such a system, it will make it prohibitively expensive for spammers to engage in such activities.
But the reality is, the majority of computer users do not understand the implications of this philosophy for it to work out. In fact, tarpitting will have been a good way of deterring most spam without adding more costs to paying customers like us. Imagine if 90% of all the computers are adversarial like this; then spam bots will have been wasting their resources 90% of the time. That should make the economics of spam a bad proposition to spammers, rather than the reverse situation we are having today – the majority of spam is handled by ISP’s filtering, wasting 90% of the Internet’s email traffic on spam, annoying email users, and charging consumers money to take away the problem.
If you haven’t noticed it yet, in essence, we are indirectly paying for the costs these spammers incur. And that pisses me off.
As a parting note to my post, I hate all spammers with a passion, so let this be a warning to all link-spammers on my blog – as much as I dislike spammers that I’ll tarpit their connections, I do not take kindly to your link spam on my blog. Don’t even bother do try, they are screened, and if your comments are just superficial irrelevant stuffs, you can bet your ass that it’s never going to see the light of the day! And don’t ever let me get my hands on your IP address … 😛