Welcome to the TARPIT update area.

Introduction

The Linux kernel's netfilter network component sports a variety of targets for its firewall rules, such as DROP, REJECT and so on. The netfilter team has a bunch of additional targets, not currently included in the main-line kernel, that can be added to this core set by downloading patch-o-matic from their site and using it to automatically patch the linux kernel source.

One of the optional netfilter targets offered via patch-o-matic is TARPIT, which traps and holds incoming TCP connections by forcing them into a "zero-window" condition in which the sending side becomes stuck, eventually timing out the connection (typically in 12 to 24 minutes). This functionality is substantially similar to LaBrea, but requires no dedicated hardware or additional resources.

Tar-pitting is an extremely useful technique for slowing down computer malware (particularly worms) by trapping that malware as it attempts to spread itself to nearby targets.

Unfortunately, the TARPIT target, originally written by Aaron Hopkins at die.net, is unmaintained in the publicly available patch-o-matic. The TARPIT target there will not compile in a kernel more modern than 2.6.18.

Updating the Code

Fortunately, Jan Engelhardt at gmx.de kindly re-wrote TARPIT for the 2.6.22 kernel release, the patch for which he posted to the netfilter-devel mailing list. As a courtesy, his patch has been made available in an easily-downloadable form here on this site, along with updates for more recent kernels. Additionally, for the interim kernel releases 2.6.19 through 2.6.21, the patch-o-matic TARPIT directory has been updated here to allow Aaron Hopkins's code to compile.

Alas, TARPIT support was removed from iptables-1.3.8 along with other extensions that were labeled "obsolete" or "unmaintained." A patch is being provided here against iptables-1.3.8 and 1.4.0 to add TARPIT support back in.

Warning

Although the patches provided here are believed to be correct, they have not undergone rigorous review! They may crash your kernel - or worse!
Use them at your own risk!

It is assumed that you are already familiar with how to patch and build your own Linux kernel! If you do not know how, please ask a knowledgeable admin to assist you.

Downloads

For kernels 2.6.22 and newer…

• tarpit-2.6.22.patch
  Jan Engelhardt's re-write of TARPIT for the 2.6.22 kernel.
  localhost:~# cd /usr/src/linux-2.6.22
  localhost:/usr/src/linux-2.6.22# patch -p1 -NE < ~/tarpit-2.6.22.patch
  Patching drivers/char/random.c
Patching net/netfilter/Kconfig
Patching net/netfilter/Makefile
Patching net/netfilter/xt_TARPIT.c
localhost:/usr/src/linux-2.6.22# make oldconfig && make …
• tarpit-2.6.23.patch
  An update of tarpit-2.6.22.patch for the 2.6.23 Linux kernel.
• tarpit-2.6.24.patch
  An update of tarpit-2.6.22.patch for the 2.6.24 Linux kernel.
• tarpit-2.6.25.patch
  An update of tarpit-2.6.22.patch for the 2.6.25 Linux kernel.
• tarpit-2.6.26.patch
  An update of tarpit-2.6.22.patch for the 2.6.26 Linux kernel.

For older kernels 2.6.19 through 2.6.21…

• Please see the old patch-o-matic directory for patches against POM.

For iptables-1.3.8 and newer (which had tarpit support removed)…

• iptables-1.3.8-tarpit.diff
  A patch against iptables-1.3.8.tar that will add back TARPIT support.
  localhost:~$ tar xzf tarpit-1.3.8.tar.gz
  localhost:~$ cd tarpit-1.3.8
  localhost:~/tarpit-1.3.8$ patch -p1 -NE < ~/iptables-1.3.8-tarpit.diff
  Patching extensions/libipt_TARPIT.c
Patching extensions/libipt_TARPIT.man
Patching extensions/.TARPIT-test
localhost:~/tarpit-1.3.8$ chmod +x extensions/.TARPIT-test
  localhost:~/tarpit-1.3.8$ make && sudo make install …
• iptables-1.4.0-tarpit.diff
  A patch against iptables-1.4.0.tar that will add back TARPIT support.

Notes

The iptables package that usually ships with most Linux distributions generally contains support for TARPIT if its version is up to and including 1.3.7. If that is true, you do not need to apply the iptables-1.3.8-tarpit.diff file. Your OS vendor may have preserved tarpit support in newer versions; you can probably tell by executing "man iptables" and looking for the documentation for TARPIT.

When buildling iptables-1.3.8 or newer, make sure you set the executable bit on the hidden extensions/.TARPIT-test file as illustrated above, else the extension will not be included in the package.

The 1.3.8 version of iptables does not seem to work correctly when built against kernel 2.6.24; any operation attempted returns with "error 0". If you prefer the 1.3.8 version over the newer 1.4.0, try building with the headers from kernel 2.6.23 or earlier.

After applying tarpit-2.6.22.patch (etc) against your kernel source, don't forget to re-make your config, selecting the TARPIT target in the affirmative (or with "M" for a module).