Package: xtables-addons-dkms Version: 3.23-1 Severity: wishlist Dear Maintainer,
I am just thinking to install a tarpit on my host. I read various docs found on the net. Peoples mention a potential problem: connection tracking may exhaust a lot of local resources. Flávio Veloso Soares explains on page https://gist.github.com/flaviovs/103a0dbf62c67ff371ff75fc62fdded3 how to avoid this locally with raw table rules but IMHO this makes the life complicated. Also as mentioned by others elsewhere, that routers between attacker and us may have also connection tables that can be fulfilled. (E.g. https://sysadminblog.net/2013/08/debian-iptables-tarpit/) Maybe I found an elegant solution. Instead of playing with NOTRACK, immediately after we sent the ACK packet with zero window side, we should send an RST packet too, but with _very low_ TTL, e.g. 5. So the local kernel can forget the connection as usual and so do the near (and potentially NATting) routers. But the RST packet won't reach the attacker host. (Unless we got friendly fire from the next room. In other words, the local IT department can execute legitim port scans scot-free.) The only drawback I can see, that a router answers our RST with an ICMP Time Exceeded packet. What is your opinion? Is this technically possible? (I am not an experienced kernel developer.) Cheers Gabor
