The incredible lurking Pablo strikes again! I saw this bit on IRC an hour ago:
23:09 <ljlane> wow, read some really evil tarpitting stuff 23:10 <radsaq> really? 23:11 <ljlane> yeah, http://www.securityfocus.com/infocus/1723 23:11 <ljlane> tarpit just before your drop rule. tarpit all ports, tarpit unused nets, etc
Interesting stuff. That said, I still prefer Stephen's (Snow-Man) more draconian
approach; hitting an invalid port tosses you in an ipt_recent
list, which drops all of your traffic for a few minutes. The
tarpitting approach, while effective at slowing down and confusing a
probe, still leaves you vulnerable. The ipt_recent
approach kills automated port scans almost completely, without using as
many resources on the firewall.