Tarpit (networking)
A tar pit (English Tarpit, dt also Teerfalle ) illustrates a method, be slowed down artificially removing unwanted network connections and the link partner is blocked as long as possible. Tar pits are mainly in the area of spam and worm control for use. Tar pits can be implemented in principle in each layer of the OSI model. Typical are tar pits on the IP, TCP, and application layer.
- 4.1 SMTP tar pits
- 4.2 HTTP tar pits
Principle of operation
The client establishes a connection to the server that accepts this. But this connection is processed massively delayed by the server, the response data trickle very slowly over the line. The client must continually wait for the response from the server, making it theoretically as long as required to maintain the connection to the server. This delay can be realized at lower layers of the network, such as IP or TCP, or application-level.
IP Tar Pits
IP Tar Pits advantage of the opportunities at the IP level, ie they reduce the packet size to a minimum and will send the parcels very slowly.
TCP Tar Pits
TCP tar pits put a layer higher in the network stack, but work basically using the same techniques as IP - tar pits. They also minimize the packet size, forget response packets, connection error, etc.
Examples
LaBrea
A well-known implementation of it is " LaBrea ", which can protect an entire network with a single tar pits service.
The tar pits computer listening to unanswered ARP requests (usually an unused address) and answers queries on this, that is, he pretends to possess the desired IP address. If he (often a port scanner ) then receives the initializing SYN packet the attacker, it sends only a SYN / ACK response, then nothing more. For this connection, a socket is opened and set up any "real" connection. The tar pit does not store any data of the compound according to the sent SYN / ACK. Thus, the tar pit needs no own resources such as CPU time, sockets, memory or network bandwidth.
The computer of the remote side (the " attacker " ) sends its ACK packet to complete the necessary for establishing the connection 3 -way handshake. Already this packet is ignored by the tar pit. Because of the " attacker " view now exists an established connection, it starts sending its data, but the reach anyone.
As an acknowledgment for each packet is provided in the TCP, the connection is interrupted usually after a period of a timeout. Until then the transmitting machine remains in a state that is designed to maintain the connection to a potential actual communication partner after all possibility. This communication takes time and computing power, depending on the nature of the network stack (number of repetitions, back-off, retransmit, etc. ) are often very much so.
Newer versions of LaBrea are enhanced by the ability to respond later to those incoming packets with nonsensical answers. For raw data (RAW IP packets ) so that no sockets or other resources of the Teergrubenservers be used. These packages bring the sending server to maintain the connection and so turn to waste any more time and computing power pointless.
In addition there are numerous other LaBrea Tar Pits TCP, such as TCP Damping.
Netfilter
Can netfilter in the Linux packet filter run a tar pit TCP connections without additional userspace software. The target tarpit accepting new TCP connections, and puts them directly into the persist -state. Due to the resulting window size of 0, it is the " attacker " is not allowed to send data. He is forced every 60 to 240 seconds to query the window size again. Furthermore, tests of the " aggressor ", to close the connection is ignored, whereby leakage of the connection is forced. This will take 12-24 minutes. During this time, the resources used in the " attacker " remain occupied.
Application -level tar pits
Tar pits at the application level use possibilities of the application protocol to slow down a connection artificially. That's enough turn of the simulation of lost requests of fault status to particularly detailed, but meaningless answers.
Free website hosting especially SMTP and HTTP tar pits are used.
SMTP tar pits
The principle of operation of the e -mail tar pit based on the fact that SMTP sessions are artificially slowed or delayed, for example by small delays are built into the SMTP handshake, making mass spam be sent mail server should be blocked.
In addition, so-called SMTP continuation lines are inserted in the server's responses. This continuation lines allow the server to return a multiline reply that needs to wait for the client - similar to a conversation in which the person opposite you is a specific question, but this only after an hour speaking right to the point.
In normal mail traffic this delay leads, depending on implementation and aggressiveness of the tar pit no major limitations. However, if a large number of mails sent simultaneously from a server, as is usually the case with e- mail spam, the sending mail server is blocked. The number of TCP sessions that it can process at the same time is limited. He can, if all available sessions stuck in a tar pit, send mails only more if one of the open sessions is completed or canceled.
Another mode of action is that viruses, and optimized for server sending spam cancel the shipments are often even at short delays without having to start a new try later. Yet for such stations can slow down through the use of tar pits or unperformanter server. The tar pit blocked here, not the sending server, but protects the receiver against e- mail spam and malware.
However, is what makes the tar pit rather uneconomical: spammers terminate the connection immediately, regular shippers are captured. That's just not the desired effect. The OpenBSD spamd for example implemented whitelisting and greylisting to identify spammers and protect decent shippers.
In the past, often a saving of traffic was used as an argument, but because the volume costs continue to fall and the size of regular mail as well as the bandwidth constantly rising, falling less and less significant.
Great provider and send newsletters are also blocked with such a classic tar pit, which is why this method is not popular there. Is mitigated this problem by only SMTP sessions of suspicious hosts ( cf. RBL) subjecting the Tarpitting and possibly also maintains a whitelist for large providers.
HTTP tar pits
HTTP tar pits try a level spammer earlier to throw off track by blocking the Harvester of spammers. Harvesters are programs (eg Googlebot ) search the web pages of search engines like Spider - but not for keywords, but for e- mail addresses of potential spam victims.
This type tar pits provides websites significantly slowed down and packed on the generated web pages, many links on itself so that the Harvester Pats again into the trap.