[en] a portscanner killer
Here is a small tool I wrote a while ago: ipqRST
To use it, rewrite your iptables rules and replace -j DROP or -j REJECT on closed ports by -j QUEUE and make sure that you run ipqRST2.pl as root somewhere (screen or nohup will help you).
Do not use it on open ports as you might disrupt your applications or open holes in your filtering policy!
How it works: when packets are received, the tool delays them a little before letting them go. Little by little, the RTT between the scanner and the target seems to increase.
It severely disrupts several known portscanners which slow down to a crawl.
Nessus is immune to that, by the way...
You should not use this toy in production. Firewalls that return rate limited ICMP packets are already very efficient against portscanners . i.e. you should prefer iptables -j REJECT to iptables -j DROP
To use it, rewrite your iptables rules and replace -j DROP or -j REJECT on closed ports by -j QUEUE and make sure that you run ipqRST2.pl as root somewhere (screen or nohup will help you).
Do not use it on open ports as you might disrupt your applications or open holes in your filtering policy!
How it works: when packets are received, the tool delays them a little before letting them go. Little by little, the RTT between the scanner and the target seems to increase.
It severely disrupts several known portscanners which slow down to a crawl.
Nessus is immune to that, by the way...
You should not use this toy in production. Firewalls that return rate limited ICMP packets are already very efficient against portscanners . i.e. you should prefer iptables -j REJECT to iptables -j DROP
posted by M.A. at 20:46
0 comments
