{"id":1696,"date":"2017-07-26T20:56:03","date_gmt":"2017-07-26T20:56:03","guid":{"rendered":"http:\/\/www.mtin.net\/blog\/?p=1696"},"modified":"2017-07-26T22:08:20","modified_gmt":"2017-07-26T22:08:20","slug":"use-tarpit-vs-drop-for-scripts-blocking-attackers","status":"publish","type":"post","link":"http:\/\/www.mtin.net\/blog\/use-tarpit-vs-drop-for-scripts-blocking-attackers\/","title":{"rendered":"Use tarpit vs drop for scripts blocking attackers"},"content":{"rendered":"<p>There are many scripts out there, especially on Mikrotik, which list drop as the action for denying bad guy traffic. \u00a0While this isn&#8217;t wrong, you could put the tarpit action to better use for actions which are dropping attacking type of traffic.<\/p>\n<p><strong>So what is Tarpit?<\/strong><br \/>\nTarpit is fairly simple. When connections come in and are &#8220;tarpitted&#8221; they don&#8217;t go back out. The connection is accepted, but when data transfer begins to happen, the TCP window size is set to zero. \u00a0This means no data can be transferred during the session. \u00a0The session is held open, and requests from the sender (aka attacker) to close the session are ignored. They must wait for the connection to timeout.<\/p>\n<p><strong>So what&#8217;s<\/strong><strong>\u00a0the downside?<\/strong><br \/>\nTCP is not really designed to hold onto a connection. \u00a0It can be additional overhead on a taxed system. \u00a0Most modern firewalls can handle tarpitting without an issue. However, if you get thousands of connections it can overwhelm a system or a particular protocol.<\/p>\n<p><strong>How can I use it?<\/strong><br \/>\nIf you have scripts, such as the <a href=\"https:\/\/wiki.mikrotik.com\/wiki\/Bruteforce_login_prevention\">SSH drop off the Mikrotik wiki<\/a>, simply change the action to &#8220;tarpit&#8221; instead of &#8220;drop&#8221;.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There are many scripts out there, especially on Mikrotik, which list drop as the action for denying bad guy traffic. \u00a0While this isn&#8217;t wrong, you could put the tarpit action to better use for actions which are dropping attacking type of traffic. So what is Tarpit? Tarpit is fairly simple. When connections come in and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1501,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[17,2],"tags":[271,456,457,25,455],"jetpack_publicize_connections":[],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2017\/01\/ethernet.jpeg?fit=1800%2C1162","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6VLMf-rm","jetpack-related-posts":[{"id":2277,"url":"http:\/\/www.mtin.net\/blog\/winbox-brute-force\/","url_meta":{"origin":1696,"position":0},"title":"Winbox brute Force","author":"j2sw","date":"June 1, 2018","format":false,"excerpt":"You really should not have your winbox port open to anything but a management network, but if you need a script to help with brute force on the Mikrotik. add action=drop chain=input comment=\"drop winbox brute forcers\" dst-port=8291 \\ protocol=tcp src-address-list=winbox_blacklist add action=add-src-to-address-list address-list=winbox_blacklist \\ address-list-timeout=1w3d chain=input connection-state=new dst-port=8291 \\ protocol=tcp\u2026","rel":"","context":"Similar post","block_context":{"text":"Similar post","link":""},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":297,"url":"http:\/\/www.mtin.net\/blog\/protecting-your-mikrotik-from-dns-amplification\/","url_meta":{"origin":1696,"position":1},"title":"Protecting your Mikrotik from DNS Amplification","author":"j2sw","date":"May 8, 2015","format":false,"excerpt":"There are several reasons and benefits to using your Mikrotik as a DNS caching server. \u00a0Queries to the client are just a tad faster, which makes the overall user experience seem snappier. \u00a0It also allows you to quickly change upstream DNS servers in the even of an outage, attack, etc.\u2026","rel":"","context":"In \"amplification\"","block_context":{"text":"amplification","link":"http:\/\/www.mtin.net\/blog\/tag\/amplification\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2165,"url":"http:\/\/www.mtin.net\/blog\/ipv6-firewall-rules-for-mikrotik\/","url_meta":{"origin":1696,"position":2},"title":"IPV6 Firewall rules for Mikrotik","author":"j2sw","date":"March 23, 2018","format":false,"excerpt":"Some basic IPV6 Firewall Rules for Mikrotik. Replace in-interface=\"\" with your appropriate interface. \/ipv6 firewall filter add chain=input protocol=icmpv6 add chain=input connection-state=established,related add chain=input dst-port=546 in-interface=ether1-wan protocol=udp src-port=547 add action=drop chain=input connection-state=invalid add action=drop chain=input connection-state=new in-interface=ether1-wan add chain=forward protocol=icmpv6 add chain=forward connection-state=established,related add chain=forward connection-state=new in-interface=!ether1-wan add action=drop chain=forward\u2026","rel":"","context":"In &quot;Mikrotik&quot;","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":263,"url":"http:\/\/www.mtin.net\/blog\/new-software-features\/","url_meta":{"origin":1696,"position":3},"title":"New Software Features","author":"j2sw","date":"April 23, 2015","format":false,"excerpt":"RoMON another blog post will follow on this. Need to use Winbox 3 FastTrack FastPath + Connection Tracking FastTrack Accelerates packet processing for specific connection tracking entries Full NAT support Works with IPv4\/TCP and IPv4\/UDP \u00a0","rel":"","context":"In &quot;Mikrotik&quot;","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2250,"url":"http:\/\/www.mtin.net\/blog\/mikrotik-destination-nat\/","url_meta":{"origin":1696,"position":4},"title":"Mikrotik Destination Nat","author":"j2sw","date":"May 1, 2018","format":false,"excerpt":"Scenario You have a customer with a Mikrotik router that needs a port forwarded to an internal IP address. In our case, a customer has a camera that communicates on port 80 with a static IP add of 192.168.21.49 on their internal LAN. Solution add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.21.49\u2026","rel":"","context":"In &quot;Mikrotik&quot;","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1379,"url":"http:\/\/www.mtin.net\/blog\/simple-shut-off-scripting\/","url_meta":{"origin":1696,"position":5},"title":"Simple shut-off scripting","author":"j2sw","date":"September 15, 2016","format":false,"excerpt":"I had a client today who is doing some manual things as they are using Quickbooks for billing and such. \u00a0One thing they kind of struggle with is turning off people for non-payment and such. \u00a0Their current method is adding a que and throttling someone to a low-speed to make\u2026","rel":"","context":"In &quot;Mikrotik&quot;","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/1696"}],"collection":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/comments?post=1696"}],"version-history":[{"count":2,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/1696\/revisions"}],"predecessor-version":[{"id":1698,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/1696\/revisions\/1698"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/media\/1501"}],"wp:attachment":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/media?parent=1696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/categories?post=1696"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/tags?post=1696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}