Iptables TARPIT capability?

[DrPozo]

I would like to have the iptables TARPIT capability on my RT-AC68U, however I think this is not possible because it would conflict with the closed source pieces of the firmware?

The iptables TARPIT capability is described here:

~/asuswrt-merlin/release/src-rt/linux/linux-2.6/net/ipv4/netfilter/Kconfig
"Adds a TARPIT target to iptables, which captures and holds incoming TCP connections using no local per-connection resources. Connections are accepted, but immediately switched to the persist state (0 byte window), in which the remote side stops sending data and asks to continue every 60-240 seconds. Attempts to close the connection are ignored, forcing the remote side to time out the connection in 12-24 minutes."

In other words, you can give those Internet port scanners a really bad day, by crashing their systems. Heh.

At first, I thought this would be just an easy fix to the firmware.

Just copy this file:
~/asuswrt-merlin/release/src-rt/linux/linux-2.6/net/ipv4/netfilter/ipt_TARPIT.c
To here:
~/asuswrt-merlin/release/src-rt-6.x.4708/linux/linux-2.6.36/net/ipv4/netfilter/ipt_TARPIT.c

But then I realize some data structures in the following files must also be updated. Just minor updates. However, I worry because I don't want to break binary compatibility with the closed source pieces and possibly brick my router.
~/asuswrt-merlin/release/src-rt-6.x.4708/linux/linux-2.6.36/include/linux/skbuff.h
~/asuswrt-merlin/release/src-rt-6.x.4708/linux/linux-2.6.36/include/net/route.h

Is there a list of the data structures used by the closed source pieces of the firmware?

Or, maybe someone has already gotten the TARPIT capability to work on their ARM router?

 

[Nullity]

Why would you want to run this? To crash or deter port scanners? Not all scanners are "bad guys"...

I would rather encourage more defensive methods like having proper security & as few open ports as possible.

 

[RMerlin]

Anything that touches skbuff is a no-go, as it's used by the wireless driver. That's why 2.6.36 didn't offer IMQ support, for instance.

Nobody knows which structure are sensitive, since the code is closed source.

 

[DrPozo]

Anything that touches skbuff is a no-go, as it's used by the wireless driver.

I think it was this data structure that I once added members to, and my RT-AC68U would crash immediately after power on. Had to use the bootloader TFTP recovery to revert the firmware.

 

[DrPozo]

Why would you want to run this?

I see the same guys probing my router 2-3 times per day. Assuming they're all "good guys", it's a little "tough love" from me to them.

 

[sfx2000]

Tarpit on a low resource device like a consumer Router/AP - not a good idea...

The NAT/SPI firewall already in place considers those resources...

 

[sfx2000]

I see the same guys probing my router 2-3 times per day. Assuming they're all "good guys", it's a little "tough love" from me to them.

I see these hundreds of times a day - and I just drop them...

 

[Nullity]

I see the same guys probing my router 2-3 times per day. Assuming they're all "good guys", it's a little "tough love" from me to them.

If you constantly see the same IP, then report them to the proper ISP.

You literally cannot stop scans like that. If you want to research the scanners, then setup a honeypot to see what their intentions are.