From e54b4b4afe198d61b29fda42e28102d20c1b9942 Mon Sep 17 00:00:00 2001 From: jknapp Date: Mon, 25 Aug 2025 06:42:09 -0700 Subject: [PATCH] =?UTF-8?q?Implement=20progressive=20protection:=20tarpit?= =?UTF-8?q?=20=E2=86=92=20silent-drop=20=E2=86=92=20block?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Set tarpit timeout to 10 seconds for initial offenders - Use silent-drop for obvious scanners (35+ errors) and repeat offenders - Silent-drop immediately closes connection without response - Keep 429 block for critical threats (50+ errors) Protection levels: - 10-19 errors: 10s tarpit - 20-34 errors: 10s tarpit (first), silent-drop (repeat) - 35-49 errors: silent-drop - 50+ errors: 429 block - Burst attacks: 10s tarpit (first), silent-drop (repeat) Updated monitoring script to show correct status based on new logic. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- scripts/show-tarpit-ips.sh | 23 ++++++++++++++--------- templates/hap_header.tpl | 2 +- templates/hap_listener.tpl | 30 ++++++++++++++++++++---------- 3 files changed, 35 insertions(+), 20 deletions(-) diff --git a/scripts/show-tarpit-ips.sh b/scripts/show-tarpit-ips.sh index 52485b2..13118b6 100755 --- a/scripts/show-tarpit-ips.sh +++ b/scripts/show-tarpit-ips.sh @@ -73,16 +73,20 @@ printf "@!%s show table web\n" "${PROCESS_ID}" | socat stdio "$SOCKET" 2>/dev/nu gpc1=${gpc1:-0} err_rate=${err_rate:-0} - # Determine status based on scan count + # Determine status based on scan count and escalation status="" if [ "$gpc0" -ge 50 ]; then - status="BLOCKED (critical)" + status="BLOCKED (429)" elif [ "$gpc0" -ge 35 ]; then - status="TARPITTED (high)" + status="SILENT-DROP" elif [ "$gpc0" -ge 20 ]; then - status="TARPITTED (medium)" + if [ "$gpc1" -ge 2 ]; then + status="SILENT-DROP (repeat)" + else + status="TARPIT 10s" + fi elif [ "$gpc0" -ge 10 ]; then - status="MONITORED (low)" + status="TARPIT 10s" else status="Normal" fi @@ -100,10 +104,11 @@ printf "@!%s show table web\n" "${PROCESS_ID}" | socat stdio "$SOCKET" 2>/dev/nu echo echo "===================================================================" echo "Legend:" -echo " - Scan Count 10-19: Potential scanner (monitored/low tarpit)" -echo " - Scan Count 20-34: Likely scanner (tarpitted with medium delay)" -echo " - Scan Count 35-49: Confirmed scanner (tarpitted with high delay)" -echo " - Scan Count 50+: Aggressive scanner (blocked with 429 status)" +echo " - Scan Count 10-19: Low scanner → TARPIT 10s delay" +echo " - Scan Count 20-34: Medium scanner → TARPIT 10s (1st), SILENT-DROP (repeat)" +echo " - Scan Count 35-49: High scanner → SILENT-DROP (immediate disconnect)" +echo " - Scan Count 50+: Critical scanner → BLOCKED (429 response)" +echo " - Burst (5+ in 10s): → TARPIT 10s (1st), SILENT-DROP (repeat)" echo "===================================================================" echo "Note: IPs are tracked for 1 hour since last activity" echo diff --git a/templates/hap_header.tpl b/templates/hap_header.tpl index 6382447..db68e09 100644 --- a/templates/hap_header.tpl +++ b/templates/hap_header.tpl @@ -45,6 +45,6 @@ defaults timeout server 10m timeout http-keep-alive 120s timeout check 10s - timeout tarpit 30s # Tarpit delay for detected scanners (fixed in HAProxy 3.0) + timeout tarpit 10s # Tarpit delay for low-level scanners (before silent-drop) maxconn 3000 \ No newline at end of file diff --git a/templates/hap_listener.tpl b/templates/hap_listener.tpl index 7634cc6..2c01217 100644 --- a/templates/hap_listener.tpl +++ b/templates/hap_listener.tpl @@ -54,20 +54,30 @@ frontend web acl escalation_level_2 sc0_get_gpc1 eq 2 # Third offense acl escalation_level_3 sc0_get_gpc1 ge 3 # Repeat offender - # BLOCKING RULES - Block aggressive scanners completely - # Only block after significant error accumulation + # BLOCKING RULES - Progressive response based on threat level + + # Level 4: Complete block for critical threats (50+ errors) http-request deny deny_status 429 if scanner_critical - # TARPIT RULES - Apply tarpit to detected scanners - # HAProxy 3.0 uses global 'timeout tarpit' (60s) for all tarpit actions - # We track escalation level but all tarpits use same timeout - # The escalation level helps identify repeat offenders + # Level 3: Silent drop for obvious scanners and burst attacks + # This immediately closes the connection without any response + http-request silent-drop if scanner_high # 35+ errors + http-request silent-drop if scanner_medium burst_scanner # 20+ errors with burst + http-request silent-drop if scanner_medium escalation_level_2 # Repeat medium scanner + http-request silent-drop if burst_scanner escalation_level_1 # Repeat burst scanner - # Apply tarpit to any detected scanner - http-request tarpit deny_status 429 if scanner_low or scanner_medium or scanner_high or burst_scanner + # Level 2: Tarpit for medium scanners (first offense) + # 10 second delay before closing connection + http-request tarpit deny_status 429 if scanner_medium escalation_level_0 + http-request tarpit deny_status 429 if scanner_medium escalation_level_1 - # Increment escalation level when we apply tarpit - # This tracks how many times this IP has been tarpitted + # Level 1: Tarpit for low-level scanners + # 10 second delay to slow them down + http-request tarpit deny_status 429 if scanner_low + http-request tarpit deny_status 429 if burst_scanner escalation_level_0 + + # Increment escalation level when we apply any protection + # This tracks how many times this IP has been actioned http-request sc-inc-gpc1(0) if scanner_low or scanner_medium or scanner_high or burst_scanner # Note: The backend will increment sc0_get_gpc0 when it sees 400/401/403/404 responses