I - Overview :
Jamd is a small perl daemon to tarpit port scanners, spammers, script-kiddies and various DoS attacks (slowloris).
Tarpit method is already well-known with tools like LaBrea and iptables tarpit module as well. Jamd uses the same concept but makes it simpler :
- portability : it works on any Linux distribution, FreeBSD and probably others *BSD and even possibly Mac.
- plug'n'play : it can be ran and stopped easily, there's nothing to compile and/or patch.
II - Parameters :
options :
--stop : stop the daemon.
--help : display this menu.
--debug : run in debug mode (verbose, no daemon).
--test : simulation (same as debug but doesn't send packets).
--nopromisc : do not use promiscuous mode.
--interface : network interface.
--stats : display stats
TCP parameters :
--source <IP> : source IP (the victim).
--sport <src_port> : source port (single port '--sport 25', multiports
'--sport 25,80,81' or port range '--sport 25-81').
--destination <IP> : destination IP (your server).
--dport <dest_port> : destination port (single port '--dport 25', multiports
'--dport 25,80,81' or port range '--dport 25-81').
To run jamd, you need at least to include your network interface and an IP or port (source or destination) as command line parameters.'--dport' and '--sport' parameters can be a single port, multiports or port range.
III - Perl modules needed :
The following Perl modules are needed to run jamd :
- Net::RawIP : needed to create packets.
- Net::Pcap : needed to captures packets.
- NetPacket::Ethernet : needed to decode TCP/IP packets.
- Getopt::Long : needed for command line parameters.
IV - Using jamd :When using jamd, you must ensure that your server will not reply to any request your are willing to tarpit. This usually implies adding a rule to the server firewall that will drop those packets. Under Linux, iptables can be used with the '-j DROP' action (see below).
Here is a short and non-exhaustive list of jamd usages.
- 1) block those 3 ports with iptables (Linux) :
# iptables -I INPUT -i eth0 -d 1.2.3.4 -p tcp --dport 137:139 -j DROP2) run jamd (port range):
# jamd --interface eth0 --destination 1.2.3.4 --dport 137-139
- 1) block any access to that IP :
# iptables -I INPUT -i eth0 -d 1.2.3.4 -j DROP2) run jamd :
# jamd --interface eth0 --destination 1.2.3.4
- 1) block any access to those 2 ports :
# iptables -I INPUT -i eth0 -d 1.2.3.4 -p tcp -m multiport --dports 21,1102) run jamd (multiports) :
# jamd --interface eth0 --destination 1.2.3.4 --dport 21,110
- 1) block his access to port 80 :
# iptables -I INPUT -i eth0 -s 2.2.2.2 -p tcp --dport 80 -j DROP2) run jamd :
# jamd --interface eth0 --destination 1.2.3.4 --dport 80 --source 2.2.2.23) restart Apache to cool it down and close all those open sockets. Within few second and without even noticing the change, the attacker will become the victim. Those 2000 sockets will remain open on his server only, not yours. The results is more or less equivalent to a reverse "netkill" DoS attack.
- 1) create a subdomain (ex : jamd.domain.com), point it to your IP and add a MX record :
jamd.domain.com. IN MX 10 jamd.domain.com.2) insert / hide tons of fake email addresses inside your HTML pages of your website (ie: hello@jamd.domain.com, eatme@jamd.domain.com, spamsucks@jamd.domain.com etc).3) block any access to the port 25 of that IP :
# iptables -I INPUT -i eth0 -d 1.2.3.4 -p tcp --dport 25 -j DROP4) run jamd :
# jamd --interface eth0 --destination 1.2.3.4 --dport 25Spammers will be pleased to collect all those email addresses and to get jammed on your port 25.
