Pfctl + route-to (redirecting bot drones to a tarpit)



  • We would like to redirect bot drones ddossing us to a tarpit instead of just dropping them.

    Blocking them by abusing the snort2c table via ssh rexecs from our traffic analysing server works fine, but now we want to increase the price they have to pay for attacking us. :)

    "ssh root@our.pfsense 'pfctl -t snort2c -T add drone.ip'" works fine, but what do we have to send in order to reroute them with a route-to?



  • Remember that the drone isn't under the ownership of the bot-master. They don't care if you cause a problem for those who are part of the botnet (in most cases they'll be compromised PCs).



  • @Cry:

    Remember that the drone isn't under the ownership of the bot-master. They don't care if you cause a problem for those who are part of the botnet (in most cases they'll be compromised PCs).

    I am absolutely aware of this. But tarpiting the drones will cost dem drones since otherwise careless pc owners will have a look on what is wrong if their systems are less usable.

    If you drive with broken brakes there is no insurance…

    Any idea how to manually insert a route-to rule?



  • Assuming you're using 1.2.3, you'll have to manually edit filter.inc to accomplish that. The easiest way would be to add a new table for hosts you want to route-to, manually specify the route-to rule, and then manually add the hosts the same way you are with the snort2c table.

    For instance if you open up filter.inc and go down right below the snort2c table, you can insert something like:

    redirect bots

    table <redirectbots>pass in quick route-to 1.2.3.4 from <redirectbots>to any

    Then run:
    /etc/rc.filter_configure_sync
    pfctl -f /tmp/rules.debug

    The first reloads the ruleset, the second makes it more clear if you made a typo of some sort. You'll probably want to edit /tmp/rules.debug first, then run the pfctl -f on it to ensure it loads cleanly, then add to filter.inc so it's always there after a filter reload.

    Then add the hosts to the redirectbots table.

    Though I agree with CryHavok, I don't think that's going to accomplish anything, the chances of that slowing down a bot infested PC to the point that a user would notice are pretty slim.</redirectbots></redirectbots>



  • @cmb:

    Though I agree with CryHavok, I don't think that's going to accomplish anything, the chances of that slowing down a bot infested PC to the point that a user would notice are pretty slim.

    THX a lot. At least it will be a new quest for my "friends"…

    If i cant stop them i need to feed them with some new surprises. :)

    Btw: Is there a working IDMS module for pfSense?


Log in to reply