#2 Spoof Server Banners

[John Hardin]

If a client application (for example, a spambot) is written to wait for the server's greeting banner before transmitting anything, and that wait is in a timeout-exit block, then the client may not be effectively tarpitted: the client won't see the greeting banner it expects to see, and will give up within a relatively short period of time. The tarpit only becomes truly effective when the client tries to transmit data.

This patch adds the ability to send a spoofed server greeting banner in the SYN+ACK response packet, and provides banners for SMTP and FTP. Hopefully this will cause the client to start sending its data and thus tarpit it most effectively.

An obvious refinement is to add the ability to provide additional port:string pairs via external configuration, so that the banners may be customized without recompiling.

If you want to only tarpit a particular service, you also need the BPF-Capture patch

http://sourceforge.net/tracker/index.php?func=detail&aid=1612799&group_id=70896&atid=529395

and the capture segfault bugfix patches

http://sourceforge.net/tracker/index.php?func=detail&aid=1612677&group_id=70896&atid=529393

so that you can turn off IP Capture.

If you set up a specific server tarpit on a given host, remember to use a BPF filter like:

dst host my.svr.ip.addr and dst tcp port (21 or 25)

so that only the desired traffic is seen by LaBrea.

[John Hardin]

[John Hardin]

Logged In: YES
user_id=786519
Originator: YES

Missed a line in the patch...
File Added: spoof_server_greeting_banner.patch