Community discussions

MikroTik App
 
woodych
just joined
Topic Author
Posts: 19
Joined: Fri Nov 12, 2021 7:09 pm

tarpit backfiring!

Wed Nov 17, 2021 1:23 pm

Dear Readers.

As short warning, about tarpit rules.

I have a /24 behind a Mikrotik.
To block attacks. I monitor some ports that shall not be connected from outside, like 5061,445 and so on. If a source ip connects those ports 3 time in quick succession, I put them in an timed address list and then send all TCP traffic, to any port, from that source list to a tarpit rule.

Yesterday I started repeatedly getting DDOSed by > 2.5 Gbit/s TCP-SYN and UDP traffic from various sources completely saturating my link.

I noticed my tarpit rule was the one attracting the most traffic. I changed this to REJECT - network unreachable.
After short time, the traffic started to decline.

What I suppose happened here is that after tarpit was engaged for a certain sender IP, as all ports accepted TCP connections, this made all ip addresses in my range attractive targets for further attacks which subsequently were distribute to more botnet instances which sent TCP-SYN and UDP, ending in > 2.5Gb/s traffic.

So be warned. Tarpit may backfire and increase traffic, instead of slowing down the attackers.

-Benoît-
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: tarpit backfiring!

Wed Nov 17, 2021 1:50 pm

This is why I have used a limit on tarpit and start dropping packed instead if number of hits becomes to high. (Have never had problem, so not sure how well this works)

viewtopic.php?t=178496
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: tarpit backfiring!

Wed Nov 17, 2021 1:58 pm

A DDoS is not interested in a reply, it just pushes packet in.

Drop the packets in RAW or contact you connection provider to mitigate. It could that your provider is watching those packets you send back and mitigate that DDos for you. But a provider to do this this is unknown by me. Then also the provider on the other side could monitor this reply packets and moderate this transmiiter.
The other side are many different providers so not likely tobe the case.

Who is online

Users browsing this forum: wirelesslywired and 6 guests