Skip to content

Tarpit support in Pen

Ulric edited this page Nov 23, 2015 · 2 revisions

Pen 0.32 will have built-in tarpit support in its Direct Server Return mode. The feature is enabled by specifying an access control list against which incoming requests are matched. Matching destination addresses will make Pen do two things:

  1. Reply to ARP requests to such addresses.
  2. Reply to TCP SYN with SYN+ACK.

The idea behind tarpitting is to slow down network scanning by giving lots of false positives. Pen does this with very little load and without having to manage any state.

Here is an example command line.

pen -df -O "acl 1 permit 192.168.2.11" -O "tarpit_acl 1" -O "dsr_if eth1" 192.168.2.10:80 192.168.2.2 192.168.2.3

Let's go through that option by option.

acl 1 permit 192.168.2.11 creates an entry in access list 1 which matches IP address 192.168.2.11. All other IP addresses will be rejected, i.e. ignored.

tarpit_acl 1 makes Pen use access list 1, the one with 192.168.2.11 as its sole entry, to match destination addresses.

dsr_if eth1 makes Pen use eth1 as the network interface where all direct server return processing is performed.

192.168.2.10:80 is the address and port where Pen listens for legitimate requests. They will be forwarded to the backend servers.

192.168.2.2 and 192.168.2.3 are the backend servers. They have web servers listening on port 80 and IP address 192.168.2.10 configured on a loopback interface. See the Wiki.

Let's try making a legitimate request.

ulric@debtest:~/Git/pen$ curl http://192.168.2.10/cgi-bin/remote_addr
192.168.1.1

That worked fine. Frames from us go to Pen, Pen forwards them to one of the web servers, the web server replies directly to us. In Wireshark we see:

dsr

But what happens when we try the same thing on a tarpitted address?

ulric@debtest:~/Git/pen$ curl http://192.168.2.11/cgi-bin/remote_addr
^C

It just hangs. We send SYN, Pen replies with SYN+ACK, we send ACK and think that the TCP handshake is done. So we send the HTTP request, which Pen ignores. We send it again. Pen ignores it again, and so on. Here's what that looks like in Wireshark:

tar

Access control lists are a very flexible way to control the tarpit functionality in Pen and have it tarpit every address in a subnet (except those it shouldn't). As an example, think of a network with the following hosts:

192.168.2.1     gateway
192.168.2.2     web server 1
192.168.2.3     web server 2
192.168.2.10    load balanced address

The corresponding ACL would be created like this:

acl 1 deny 192.168.2.1
acl 1 deny 192.168.2.2
acl 1 deny 192.168.2.3
acl 1 deny 192.168.2.10

Anything Pen sees that is not destined for one of these addresses will be tarpitted.