Tarpit Honeypots
Frustrating your adversary one slow byte at a time
Tarpit honeypots are a useful tool for learning about and helping to thwart the "background radiation" of the internet. They're so enticing that attackers reveal their abilities, allowing for later analysis. Analysis of attackers' abilities can help protect your systems from exploitation in the future. One unique facet of the protection they provide is annoyance. Annoyance can be a powerful deterrent, causing an attacker give up and attack someone else.
Tarpits: An Abridged History
Tarpits in networking, are services that slow down networking connections (usually incoming ones). Their initial function was to stop the spread of self-replicating malware (computer worms). Their name is a play on literal tar pits. Pits where animals became stuck, slowed down, and sank below the muck to their doom! In the digital realm computer worms end up ensnared by tarpits, slowing the rate they spread in a network.
Why make a Tarpit also a Honeypot?
A honeypot is an information gathering tool used by organizations or researchers. Tricking attackers into attempting to exploit them by looking both vulnerable and valuable. Giving insight into the attacker's skills and tools. Organizations use this information to help detect and prevent attacks on their other systems.
A tarpit server causes an attacker to waste resources by holding up their connections. The attacker now has two choices: spend more time or more cost (due to allocating more hardware).
Probing network scans (such as a web directory scan) slow to a crawl, as they cannot make new connections. Each request having to wait for the tarpit's slow response to finish (or the request times out) before making another. Forcing an attacker to choose one of those unappealing choices.
By making the tarpit appear valuable, the attacker falls into your trap. They disclose their techniques and exhaust their resources. Giving you time to respond.
Tarpit Honeypots: Flipping the Script on Cyber Attackers
A tarpit honeypots in a way, flip the script, where you're attacking the attacker. They act as an information gathering tool and a deterrent against attackers. Making an attacker likely to focus on other organizations or systems that don't use these tactics.
As a bonus, you set the stage for these sorts of scenarios to occur:
An attacker waits almost eight hours for what they thought was the shadow
file for a server. They open the file. They start scanning its contents hoping to start cracking the password hashes... Only to see a random copypasta in its place!
That situation will never not bring a smile to my face!
No Plugables to Plug? What Gives?!
Okay, fine! You got me! I wrote a tarpit honeypot, Crab Trap!
I have a few internet facing services that I would like to gather more information about what kind of scans are probing in their general vicinity. I wrote this server to help me gather data about those scans that are hitting the infrastructure hosting those services. With the hope to gather the data collected and share some analysis later!
Crap Trap (as I am writing this) is "functional", meaning it slows down response for a connection and will collect metadata around the request made. There's a bit of work I need to do before it's "production ready". Things like removing the rough edges, write end user documentation, and plumb it into a data collection pipeline. It is still a fun learning exercise!
If this sort of thing interests you, feel free to contribute to the project and help annoy some bot owners!