Setting up a tarpit on Ubuntu Linux
Source: Vincent Liu
It’s amazing to see how big botnets can grow up till these days, and they really have plenty of computing power to spare. So what do botnet owners do with these unused free computing power after looting all valuable information from the poor victim? They waste it on scanning on any potential possibilities no matter how minute a chance of finding an opening is.
In the days when computer resources are scarce, computer bots don’t bother port scanning addresses when ping requests doesn’t provide a response. But not anymore. They know that there are people out there who are slightly more tech-savvy and do not want to be annoyed – so today’s bots have no qualms in trying to scan every single port on a network address, even if ping does not respond.
Well, my computer security philosophy is simple: scanning the ports on my computer constitutes as aggression – if you engage in such activity, then it means I am free to retaliate in response to it.
Even so, I do not mean launching an attack on the infected computer; but I’ll make your bots waste it’s resources by making connections that leads to a dead end. On the flip side, in the process of doing that, this scheme will not waste my own resources by doing it. Typically, an activity like this is termed as ‘tarpitting’. So let’s see how we can set up a tarpit to fight these bots.
Patching the Kernel
In order to perform tarpitting, we need to rely on Linux’s firewall, iptables and the ‘tarpit’ module. But since the ‘tarpit’ module on iptables isn’t supported on default on Debian/Ubuntu anymore, the only way to enable it is to patch the kernel and recompile it. This may sound daunting to a novice user, but there really isn’t a need to; all you need is just some basic knowledge and patience to set things up.
Firstly, a patch to the kernel becomes necessary. It’s currently unofficially maintained at http://enterprise.bih.harvard.edu/pub/tarpit-updates/, and marked as being ‘unsupported’ or ‘obsolete’ by netfilter team themselves, which essentially means use at your own risk! I’m usually a risk-taker (only when it comes to computer software 😉 so it’s not a big issue. You should work out if this is right for you.
You’ll first need to download the kernel sources, and set up the corresponding environment for recompiling your kernel. A detailed step-by-step procedure is provided in the Ubuntu Wiki. I’m just going to skim through the details from the wiki, and show you the commands that is relevant for version Ubuntu Intrepid:
% apt-get install linux-kernel-devel fakeroot build-essential makedumpfile % apt-get install build-dep linux % apt-get source linux-source
Now you need to find out what version of the kernel you’re running before you can download and apply the corresponding patch. The version is shown as the directory name of the source you’ve downloaded, eg:
% ls -l /usr/src/ linux-source-2.6.27
What we are interested is the number indicated in bold. In my case, it’s 2.6.27. We need to do a few things here: firstly we want to inherit all the old configuration that came with your currently working kernel, so that the newly compiled kernel will be the same as the original. Then we can download the patch and apply it to the linux source, so that only change is the addition of the tarpit feature:
% cd /usr/src/linux-source-2.6.27 % make oldconfig % wget http://enterprise.bih.harvard.edu/pub/tarpit-updates/tarpit-2.6.27.patch % patch -p1 < tarpit-2.6.27.patch
The patch should apply cleanly, which means now you have the tarpit feature in the kernel. But that’s not enough, you need to make sure tarpit is compiled, as a module generally. To do this run:
% make menuconfig
And select 'M' from the menu options Networking Support -> Network packet filtering framework (Netfilter) ->Core Netfilter Configuration -> "TARPIT" target support.
