iptables: tarpit

[David Bandel]

On 9/5/06, Man-wai CHANG <mwchang at i-cable.com> wrote:
> > communications are impossible, it does however, tie up the queue.  So
> > the connection remains active because the bad guy can't send a FIN.
> >
> > A few of these and the bad guys server slows waaaaayyyyyyy down.
>
> Don't understand why the kernel didn't bundle this target. Right now, I
> need to use patch-o-matic to enable it.

Because most distributions I know have made the decision that this
particular target is evil (it is, at the very least, nasty), and have
deliberately not put it into general circulation.   Those astute
enough to patch up their distro with this are hopefully smart enough
to understand the consequences of its use (and misuse).  BTW, it will
also tie up resources on your system for a long time as well, so use
on a production system is not very bright.  Put this on a system that
does nothing but tarpit (a system with no DNS entries and no links
pointing to its IP and not running any services).

Don't fault folks for not handing you a loaded weapon and helping you
point said weapon at your own feet.

Ciao,

David A. Bandel
-- 
Focus on the dream, not the competition.
            - Nemesis Air Racing Team motto