Dear Readers.
As short warning, about tarpit rules.
I have a /24 behind a Mikrotik.
To block attacks. I monitor some ports that shall not be connected from outside, like 5061,445 and so on. If a source ip connects those ports 3 time in quick succession, I put them in an timed address list and then send all TCP traffic, to any port, from that source list to a tarpit rule.
Yesterday I started repeatedly getting DDOSed by > 2.5 Gbit/s TCP-SYN and UDP traffic from various sources completely saturating my link.
I noticed my tarpit rule was the one attracting the most traffic. I changed this to REJECT - network unreachable.
After short time, the traffic started to decline.
What I suppose happened here is that after tarpit was engaged for a certain sender IP, as all ports accepted TCP connections, this made all ip addresses in my range attractive targets for further attacks which subsequently were distribute to more botnet instances which sent TCP-SYN and UDP, ending in > 2.5Gb/s traffic.
So be warned. Tarpit may backfire and increase traffic, instead of slowing down the attackers.
-Benoît-