Does TARPIT have any known vulnerabilities or downsides?
Summary
- You have to ensure you don’t accidentally DOS your server w/ tarpit traffic
- You have to ensure you fill up your state tables w/ tarpitted connection info
- You have to ensure you don’t flood your logs with tarpit connection information
- You need to ensure a long blacklist doesn’t affect performance
- You need to ensure that your blacklist automatically expires hosts
- You need the ability to whitelist hosts (either permanently or with time-limit)
Thankfully this is all possible, and quite easy using regular iptables and ipset.
Limiting TARPIT resource usage
You can use iptables to limit how many hosts you TARPIT without using too many system resources. See example below. This includes network bandwidth, system memory, state stable entries, and other system resources. Get too many tarpitted connections, start ignoring them. If you organize your rule set in the correct order, none of the tarpitted connections end up on your state tables. Also make sure you don’t log, unless you’re doing realtime stats with something like a custom ulog — Direct iptables tarpit logs can quickly fill up a disk.
In my experience my current hosts can easily hold 200+ hosts in a tarpit, with little noticeable effect on memory usage, traffic usage, or cpu usage. Likely I could push this further, but so far on average I’m only trapping around 130 hosts at any given moment.
The reason why I implemented the limits, was as stated in another suggestion, because my first tarpit host became flooded. This was a trivial workaround. I’ve had no issues since.