Chaostables was a research project looking at how to thwart and spoof network scanners, specifically nmap. The scanning patterns were analyzed, and the host was then modified to act unlike it normally does. Out of the endeavor came an 18-page documentation on how the scanned host can make life much harder for the scanner and firewall modules.

Special features include recognition of all nmap scan types including -sS SYN Scan, proactive slowdown of TCP and UDP (10000+%), and providing back fake nondeterministic information.

Three modules for the Linux Netfilter/iptables firewall, namely “DELUDE”, “CHAOS” and “TARPIT” were made. (The TARPIT module is based on an earlier work by Aaron Hopkins of the same name.) Later (2008-03-30), the modules were moved to the Xtables-addons source tree.

Have a look at the Detecting and deceiving network scans document for more information.

Resources