Next Previous Contents

the Scanner Tarpit HOWTO

John D. Hardin <jhardin@impsec.org>

$Revision: 0.15 $ $Date: 2006-12-15 21:03:16-08 $
How to configure a Linux firewall protecting a publicly-accessible (boundary, DMZ) network to detect worms' and attackers' scanning activity and react in real time to block and interfere with that scanning activity. A discussion of reporting tools and possible extensions is also included, with details for setting up an SMTP-only tarpit.

1. Introduction

2. Background Knowledge

3. Planning

4. Detecting and blocking scans of the boundary network

5. Tarpitting the scanner or worm

6. Reporting scanning activity

7. Protecting individual computers

8. Possible extensions


Next Previous Contents