Talk:Tarpit (networking)

Latest comment: 3 years ago by Jotoho in topic SSH Tarpits

Singular preferred, disambig if necessary if anyone ever writes about tarpits... I mean, about the LaBrea... oh, you know what I mean. ;) -- John Owens 08:01 May 9, 2003 (UTC)

Tarpit = Teergrube?

edit

Is this the same thing as Teergrube, or is a Teergrube one of several kinds of Tarpit? Could somebody explain how they relate to each other, or point out differences? If they are the same, the articles should be merged. If not, Teergrube should get a stub notice. Thanks in advance, Wikipeditor 17:56, 21 October 2005 (UTC)Reply

They appear to be the identical thing. But as these are simply the German and English versions of the same concept with essentially the same information, shouldn't this just be moved to the German Wikipedia? --Happylobster 14:20, 4 December 2006 (UTC)Reply

Is it okay to mention commercial implementations?

edit

The article made mention of several open source tar pits, but few of them are in use at large sites.

I thought it would be useful to take some content from Stopping_e-mail_abuse and merge it into this article.

If this isn't appropriate, please go ahead and remove my edits.

When did it all start?

edit

Labeling a section “The original tarpit idea” and then writing “Tom Liston developed the original tarpitting program ‘LaBrea’” may be misleading if it suggests that the concept of tarpits in general didn't exist before LaBrea.

Liston says “[t]he original concept for LaBrea started in response to the CodeRed worm”,[1] that is, not earlier than mid-July 2001, whereas Lutz Donnerhacke published a Teergruben FAQ as early as 1997-09-15. I don't know who originally came up with the idea, so perhaps somebody else can shed some light on the origins of tarpits. Wikipeditor 03:18, 12 April 2007 (UTC)Reply

Note: While SMTP "teergruben" existed pre-2001, I believe that LaBrea was the first program to actively tarpit using TCP/IP trickery. I think some of the confusion here stems from the fact that SMTP tarpits and TCP/IP tarpits are two very different beasts. -Tom Liston —Preceding unsigned comment added by 209.172.181.150 (talk) 19:43, 7 December 2010 (UTC)Reply

Is greylisting tarpitting?

edit

I don't think the various SMTP approaches count as tarpits. A tarpit should actively try to hamper and delay malicious traffic, not just block or avoid it.

-k —Preceding unsigned comment added by 82.134.28.194 (talk) 07:59, 21 December 2007 (UTC)Reply

The word "tarpit" is widely used in the SMTP community for what SMTP tarpitting does, which is to actively try to hamper and delay malicious traffic by tarpitting the SMTP sender. Incidentily, if traffic is identified as malicious, it may also be blocked or avoided, but the tarpit is the effect that the delays have on the sender

MS Exchange SMTP tarpit

edit

MS Exchange is another system that offers tarpitting (since 2003). The implementation is a little different from those listed here: since Exchange can identify individual good/bad mail addresses, Exchange can tarpit based on the name of the recipient. http://msexchangeteam.com/archive/2004/12/06/275851.aspx http://support.microsoft.com/kb/842851 —Preceding unsigned comment added by 218.214.18.240 (talk) 23:21, 13 September 2009 (UTC)Reply

removed "(delays)...for as long as possible" from opening sentence

edit

"as long as possible" sounds just wrong, or at least unclear and confusing, to me... Also added "purposefully".

If I missed something, please explain!

Also started the "SMTP tarpits" section with a helpful reference to another approach that was considered to battle spam, for some context.

JH-man (talk) 15:44, 21 November 2012 (UTC)Reply

Background section detail is confusing

edit

The Background section is confusing, especially with the phrase "Ophiomyia (number) is an agromyzid fly" in the example reply. Would it be technically correct to replace it with "This is the first reply in a series", "This is the second reply in a series", etc. and then add a note to the explanation line below the example that the total time spent waiting was 8 replies * 15 seconds = 2 minutes? Calebbell (talk) 17:10, 21 November 2012 (UTC)Reply

DNSBL vs. "IP addresses"

edit

Hey there, the code snippet (which is also referred to by Calebbell in his/her post above mine) appears a bit paradox to me, since it says 451 Your IP address is listed in the DNSBL. Please try again later.. Actually, this is technically incorrect: a DNS blacklist is supposed to contain DNSes ( = Domain Name Server!) and not IPs. DNSes are alphanumeric addresses, whilst IPs are numeric ones (IPv4: decimal vs. IPv6: hexadecimal). So the error message is a contradiction per se. -andy 77.190.13.164 (talk) 19:09, 8 December 2012 (UTC)Reply

iptables TARPIT

edit

The iptables TARPIT target does some more things than just silently dropping connections. There's an article on Symantec that details the inner workings (subsection "Solutions?"): If you e. g. set up a tarpit like

iptables -A INPUT -p tcp --dport 445 -j TARPIT

the following is going to happen:

Someone is attempting to connect to port 445 (CIFS) on the machine in question so the TARPIT module detects an incoming SYN packet destined for said port. Instead of pushing the packet to the network stack, TARPIT intercepts it, spoofs a SYN/ACK packet and returns it - and also uses it to force the TCP window size to zero. The initiator, of course, answers with an ACK and considers the connection to be open. However, since the window size is 0, no traffic is sent. The initiator is now attempting to get the window size increased, alternatively is attempting to close the connection (FIN), but neither of the two are answered. Eventually the initiator is timing out after 12 to 24 minutes and drops the connection.

Since no state is maintained on the recipient's side, it doesn't put any burden on its OS, but since the initiator has to maintain a connection state (ESTABLISHED alongside with any conntrack entries), that can quickly eat up all of its resources and so make it impossible to establish new connections, up to the point that some implementations could even crash.

The point is, where a simple DROP doesn't keep a rogue host busy for all too long (TCP timeout), the TARPIT can keep it busy for extended periods of time. However, in the brief note on the TARPIT target, this is missing and should IMO be added (maybe with a link to a more comprehensive explanation of TARPIT).

Robidu (talk) 21:01, 10 September 2019 (UTC)Reply

SSH Tarpits

edit

SSH tarpits may be another kind of tarpit to mention on this page. Their purpose is to slow down malicious actors scanning and attacking any SSH server they find on the public internet by sending a garbage SSH banner incredibly slowly and thus prevent the rest of the ceremony needed for establishing a connection from happening. This forces attackers to waste at least one connection they would otherwise use against real SSH servers. Example implementations are endlesssh by skeeto and the `ssh-tarpit` PyPI package.

Jotoho (talk) 14:42, 29 October 2021 (UTC)Reply