I managed to get TARPIT in my kernel. But I decided it against using it.
Doesnt TARPIT use / create unnecessary overhead
No, quite the contrary TARPIT takes a connection directly in to the connected state (SYN, SYN-ACH, ACH-ACH) and releases all resources used in the kernel for the connection to prevent a resource DoS on your system. The only thing that you need to be aware of is that if you are using connection tracking that conntrack will by default keep track of any connection that you TARPIT. To get arround this I would recommend that you match the traffic that you are wanting to TARPIT in the raw table PREROUTING chain and send it to the NOTRACK target to prevent connection tracking from consuming resources.
Here is a snipit from the kernel source about TARPIT:
"Adds a TARPIT target to iptables, which captures and holds incoming TCP connections using no local per-connection resources. Connections are accepted, but immediately switched to the persist state (0 byte window), in which the remote side stops sending data and asks to continue every 60-240 seconds. Attempts to close the connection are ignored, forcing the remote side to time out the connection in 12-24 minutes."
I sent a new version of the original script to the list early this morning that fixed some (major (gulp)) gubs. I'll take a look at it again and see if I can't incorporate some code that will catch the traffic in the raw table's PREROUTING chain to be able to NOTRACK the traffic.
Grant. . . .
