Tarpit, anybody?

Jeffrey_SjfS_Lim · August 1, 2008, 4:07am

hi guys, I was just wondering about the feasibility of doing up a tarpit
in
nginx (either in nginx source itself, or as a module). Has anybody
looked
into this area, is looking into this area, or is interested in looking
into
this area? Would this be feasible to implement inside of nginx - or
should
it best be left to an external process outside of nginx?

-jf

–
In the meantime, here is your PSA:
“It’s so hard to write a graphics driver that open-sourcing it would not
help.”
– Andrew Fear, Software Product Manager, NVIDIA Corporation

Jeffrey_SjfS_Lim · August 1, 2008, 3:28pm

Jeffery,

I am not sure if Nginx is the right place for a tarpit. Tarpitting on
the firewall may be a better solution so nginx can just handle web
traffic.

Iptables allows you to tarpit connections easily, but you will have to
manage a table of clients you want to slow down. The following rule
will tarpit all connections to port 80.

iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT

PF (openbsd) does not yet have a tarpit ability for standard tcp
connections. Spamd will only work to tarpit mail servers.

There are also third party apps like LeBrea or HoneyPot that will do
what you want.

–
Calomel @ https://calomel.org
Open Source Research and Reference

Jeffrey_SjfS_Lim · August 3, 2008, 7:24am

On Fri, Aug 1, 2008 at 9:18 PM, Calomel [email protected]
wrote:

Jeffery,

thanks, but that’s Jeff-r-e-y, actually.

I am not sure if Nginx is the right place for a tarpit. Tarpitting on
the firewall may be a better solution so nginx can just handle web
traffic.

Iptables allows you to tarpit connections easily, but you will have to
manage a table of clients you want to slow down. The following rule
will tarpit all connections to port 80.

iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT

Let me describe the context of the application of tarpitting so that it
becomes clear. I am looking to tarpit only certain connections based on
certain criteria (otherwise, of course, why would I even bother to run
and
use nginx to tarpit, right?).

I intend to use this to tarpit persistent blog spam. I have captchas
that
work - but still, I’d like to be able to punish these guys - and drive
them
out of even my logs.

PF (openbsd) does not yet have a tarpit ability for standard tcp
connections. Spamd will only work to tarpit mail servers.

There are also third party apps like LeBrea or HoneyPot that will do
what you want.

I’m not so sure LaBrea, or HoneyPot can tarpit selectively. Or even if
they
do, whether they can work in concert with an actual web server (so that
they
can pass the legal connections onward, and things will still work).

-jf

–
In the meantime, here is your PSA:
“It’s so hard to write a graphics driver that open-sourcing it would not
help.”
– Andrew Fear, Software Product Manager, NVIDIA Corporation