Nmap tarpits

There are two main types of Nmap scans: those which simply check whether ports are open (TCP SYN / RST scanning), and those which try to do fingerprint analysis of each service (connect completely, wait for response, check response against known responses). The following is a technique which makes both of these attacks much more difficult.

Typically, an Nmap scan will scan the low-numbered privileged ports such as ports 1-1023, since these are where most services will listen for connections. Common services an attacker might hope to find include FTP (21), SSH (22), SMTP (25), and HTTP (80), all within this range. Because of this, our tarpit script will focus on this range.

The approach is simple - open all otherwise unused ports and do nothing with them. This has two consequences: a simple scan will identify all ports as open and render no useful information, while a fingerprinting scan will wait for each port in the range to respond until max timeout (since our listening program will never reply). This means that scans will either return unless information or the scan will be slowed dramatically (those configured with a low timeout per port), which can also sometimes cause inaccurate results. While this will not stop serious attackers, it will stave off any wide-area scans of your network or anyone with only an elementary knowledge of network security.

Here is a simple implementation in Perl:

#!/usr/bin/perl -w
use strict;

use IO::Socket;

my @port = ();

for (1..1023) {
  $port[$_] = IO::Socket::INET->new(
    Proto     => 'tcp',
    LocalPort => $_,
    Listen    => SOMAXCONN,
    Reuse     => 1);
  next if $! =~ /already in use/i;
}

sleep 10 while 1;

This script must be run as root to access the privileged ports. It should also be noted that while this script is active, no new services can be started in the privileged port range. This tends not to be an issue with already-configured servers as services aren't usually changed, but stopping the script while a new service is added is trivial.

A more advanced script could also detect when a single IP connects several times on different ports (this is safe because no legitimate user will connect to any of the ports listened to by the script) and add that IP to a systemwide blacklist or software firewall deny list.

If an attacker decides to DDoS the script, it will begin using memory to store the unread messages. If this is a concern, you could have the script occasionally read from the sockets and discard the data or simply restart the script occasionally.