Monthly Archives: November 2015

Pen 0.32.0 released

Available here:

http://siag.nu/pub/pen/

And also here:

https://sourceforge.net/projects/penloadbalancer/files/Source/

Pen 0.32.0 adds tarpit functionality to the Direct Server Return mode. The purpose of tarpitting is to make network scanning harder by producing lots of false positives.

Full list of changes from 0.31.1:

151123 Released 0.32.0.

151120 Added tarpit test case to testsuite.sh.

151117 Tarpit functionality to be used with the DSR mode.

151112 pen.1: removed obsolete -S option, updated defaults for -x and -L.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Tarpit support in Pen

Pen 0.32 will have built-in tarpit support in its Direct Server Return mode. The feature is enabled by specifying an access control list against which incoming requests are matched. Matching destination addresses will make Pen do two things:

1. Reply to ARP requests to such addresses.
2. Reply to TCP SYN with SYN+ACK.

The idea behind tarpitting is to slow down network scanning by giving lots of false positives. Pen does this with very little load and without having to manage any state.

Here is an example command line.

pen -df -O “acl 1 permit 192.168.2.11” -O “tarpit_acl 1” -O “dsr_if eth1” 192.168.2.10:80 192.168.2.2 192.168.2.3

Let’s go through that option by option.

acl 1 permit 192.168.2.11 creates an entry in access list 1 which matches IP address 192.168.2.11. All other IP addresses will be rejected.

tarpit_acl 1 makes Pen use access list 1, the one with 192.168.2.11 as its sole entry, to match destination addresses.

dsr_if eth1 makes Pen use eth1 as the network interface where all direct server return processing is performed.

192.168.2.10:80 is the address and port where Pen listens for legitimate requests. They will be forwarded to the backend servers.

192.168.2.2 and 192.168.2.3 are the backend servers. They have web servers listening on port 80 and IP address 192.168.2.10 configured on a loopback interface. See the Wiki.

Let’s try making a legitimate request.

ulric@debtest:~/Git/pen$ curl http://192.168.2.10/cgi-bin/remote_addr
192.168.1.1

That worked fine. Frames from us go to Pen, Pen forwards them to one of the web servers, the web server replies directly to us. In Wireshark we see:

dsr

But what happens when we try the same thing on a tarpitted address?

ulric@debtest:~/Git/pen$ curl http://192.168.2.11/cgi-bin/remote_addr
^C

It just hangs. We send SYN, Pen replies with SYN+ACK, we send ACK and think that the TCP handshake is done. So we send the HTTP request, which Pen ignores. We send it again. Pen ignores it again, and so on. Here’s what that looks like in Wireshark:

tar

Access control lists are a very flexible way to control the tarpit functionality in Pen and have it tarpit every address in a subnet (except those that shouldn’t). As an example, think of a network with the following hosts:

192.168.2.1 gateway
192.168.2.2 web server 1
192.168.2.3 web server 2
192.168.2.10 load balanced address

The corresponding ACL would be created like this:

acl 1 deny 192.168.2.1
acl 1 deny 192.168.2.2
acl 1 deny 192.168.2.3
acl 1 deny 192.168.2.10

Anything Pen sees that is not destined for one of these addresses will be tarpitted.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Pen 0.31.1 released

Available here:

http://siag.nu/pub/pen/

And also here:

https://sourceforge.net/projects/penloadbalancer/files/Source/

Two bugfixes. The first addresses failover, see issue #19 on Github.
The second addresses how the emergency server is used.

Full list of changes from 0.31.0:

151105 Released 0.31.1.

151103 In failover_server: sanity checks to failover routine.

151102 In add_client: add the initial server to .client as well as .initial.

151029 In failover_server: changed abuse_server to ABUSE_SERVER and emerg_server
to EMERG_SERVER, to handle their default NO_SERVER values.
See issue #19 on Github.

Facebooktwittergoogle_plusredditpinterestlinkedinmail