Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfctl + route-to (redirecting bot drones to a tarpit)

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RTO-IT
      last edited by

      We would like to redirect bot drones ddossing us to a tarpit instead of just dropping them.

      Blocking them by abusing the snort2c table via ssh rexecs from our traffic analysing server works fine, but now we want to increase the price they have to pay for attacking us. :)

      "ssh root@our.pfsense 'pfctl -t snort2c -T add drone.ip'" works fine, but what do we have to send in order to reroute them with a route-to?

      1 Reply Last reply Reply Quote 0
      • Cry HavokC
        Cry Havok
        last edited by

        Remember that the drone isn't under the ownership of the bot-master. They don't care if you cause a problem for those who are part of the botnet (in most cases they'll be compromised PCs).

        1 Reply Last reply Reply Quote 0
        • R
          RTO-IT
          last edited by

          @Cry:

          Remember that the drone isn't under the ownership of the bot-master. They don't care if you cause a problem for those who are part of the botnet (in most cases they'll be compromised PCs).

          I am absolutely aware of this. But tarpiting the drones will cost dem drones since otherwise careless pc owners will have a look on what is wrong if their systems are less usable.

          If you drive with broken brakes there is no insurance…

          Any idea how to manually insert a route-to rule?

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Assuming you're using 1.2.3, you'll have to manually edit filter.inc to accomplish that. The easiest way would be to add a new table for hosts you want to route-to, manually specify the route-to rule, and then manually add the hosts the same way you are with the snort2c table.

            For instance if you open up filter.inc and go down right below the snort2c table, you can insert something like:

            redirect bots

            table <redirectbots>pass in quick route-to 1.2.3.4 from <redirectbots>to any

            Then run:
            /etc/rc.filter_configure_sync
            pfctl -f /tmp/rules.debug

            The first reloads the ruleset, the second makes it more clear if you made a typo of some sort. You'll probably want to edit /tmp/rules.debug first, then run the pfctl -f on it to ensure it loads cleanly, then add to filter.inc so it's always there after a filter reload.

            Then add the hosts to the redirectbots table.

            Though I agree with CryHavok, I don't think that's going to accomplish anything, the chances of that slowing down a bot infested PC to the point that a user would notice are pretty slim.</redirectbots></redirectbots>

            1 Reply Last reply Reply Quote 0
            • R
              RTO-IT
              last edited by

              @cmb:

              Though I agree with CryHavok, I don't think that's going to accomplish anything, the chances of that slowing down a bot infested PC to the point that a user would notice are pretty slim.

              THX a lot. At least it will be a new quest for my "friends"…

              If i cant stop them i need to feed them with some new surprises. :)

              Btw: Is there a working IDMS module for pfSense?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.