Page 1 of 1

tarpit backfiring!

Posted: Wed Nov 17, 2021 1:23 pm
by woodych
Dear Readers.

As short warning, about tarpit rules.

I have a /24 behind a Mikrotik.
To block attacks. I monitor some ports that shall not be connected from outside, like 5061,445 and so on. If a source ip connects those ports 3 time in quick succession, I put them in an timed address list and then send all TCP traffic, to any port, from that source list to a tarpit rule.

Yesterday I started repeatedly getting DDOSed by > 2.5 Gbit/s TCP-SYN and UDP traffic from various sources completely saturating my link.

I noticed my tarpit rule was the one attracting the most traffic. I changed this to REJECT - network unreachable.
After short time, the traffic started to decline.

What I suppose happened here is that after tarpit was engaged for a certain sender IP, as all ports accepted TCP connections, this made all ip addresses in my range attractive targets for further attacks which subsequently were distribute to more botnet instances which sent TCP-SYN and UDP, ending in > 2.5Gb/s traffic.

So be warned. Tarpit may backfire and increase traffic, instead of slowing down the attackers.

-BenoƮt-

Re: tarpit backfiring!

Posted: Wed Nov 17, 2021 1:50 pm
by Jotne
This is why I have used a limit on tarpit and start dropping packed instead if number of hits becomes to high. (Have never had problem, so not sure how well this works)

viewtopic.php?t=178496

Re: tarpit backfiring!

Posted: Wed Nov 17, 2021 1:58 pm
by msatter
A DDoS is not interested in a reply, it just pushes packet in.

Drop the packets in RAW or contact you connection provider to mitigate. It could that your provider is watching those packets you send back and mitigate that DDos for you. But a provider to do this this is unknown by me. Then also the provider on the other side could monitor this reply packets and moderate this transmiiter.
The other side are many different providers so not likely tobe the case.