Implement progressive protection: tarpit → silent-drop → block

- Set tarpit timeout to 10 seconds for initial offenders
- Use silent-drop for obvious scanners (35+ errors) and repeat offenders
- Silent-drop immediately closes connection without response
- Keep 429 block for critical threats (50+ errors)

Protection levels:
- 10-19 errors: 10s tarpit
- 20-34 errors: 10s tarpit (first), silent-drop (repeat)
- 35-49 errors: silent-drop
- 50+ errors: 429 block
- Burst attacks: 10s tarpit (first), silent-drop (repeat)

Updated monitoring script to show correct status based on new logic.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

scripts/show-tarpit-ips.sh

@@ -73,16 +73,20 @@ printf "@!%s show table web\n" "${PROCESS_ID}" | socat stdio "$SOCKET" 2>/dev/nu
             gpc1=${gpc1:-0}
             err_rate=${err_rate:-0}
             
-            # Determine status based on scan count
+            # Determine status based on scan count and escalation
             status=""
             if [ "$gpc0" -ge 50 ]; then
-                status="BLOCKED (critical)"
+                status="BLOCKED (429)"
             elif [ "$gpc0" -ge 35 ]; then
-                status="TARPITTED (high)"
+                status="SILENT-DROP"
             elif [ "$gpc0" -ge 20 ]; then
-                status="TARPITTED (medium)"
+                if [ "$gpc1" -ge 2 ]; then
+                    status="SILENT-DROP (repeat)"
+                else
+                    status="TARPIT 10s"
+                fi
             elif [ "$gpc0" -ge 10 ]; then
-                status="MONITORED (low)"
+                status="TARPIT 10s"
             else
                 status="Normal"
             fi
@@ -100,10 +104,11 @@ printf "@!%s show table web\n" "${PROCESS_ID}" | socat stdio "$SOCKET" 2>/dev/nu
 echo
 echo "==================================================================="
 echo "Legend:"
-echo "  - Scan Count 10-19: Potential scanner (monitored/low tarpit)"
+echo "  - Scan Count 10-19: Low scanner → TARPIT 10s delay"
-echo "  - Scan Count 20-34: Likely scanner (tarpitted with medium delay)"
+echo "  - Scan Count 20-34: Medium scanner → TARPIT 10s (1st), SILENT-DROP (repeat)"
-echo "  - Scan Count 35-49: Confirmed scanner (tarpitted with high delay)"
+echo "  - Scan Count 35-49: High scanner → SILENT-DROP (immediate disconnect)"
-echo "  - Scan Count 50+:   Aggressive scanner (blocked with 429 status)"
+echo "  - Scan Count 50+:   Critical scanner → BLOCKED (429 response)"
+echo "  - Burst (5+ in 10s): → TARPIT 10s (1st), SILENT-DROP (repeat)"
 echo "==================================================================="
 echo "Note: IPs are tracked for 1 hour since last activity"
 echo

templates/hap_header.tpl

@@ -45,6 +45,6 @@ defaults
     timeout server          10m
     timeout http-keep-alive 120s
     timeout check           10s
-    timeout tarpit          30s  # Tarpit delay for detected scanners (fixed in HAProxy 3.0)
+    timeout tarpit          10s  # Tarpit delay for low-level scanners (before silent-drop)
     maxconn                 3000
     

templates/hap_listener.tpl

@@ -54,20 +54,30 @@ frontend web
     acl escalation_level_2 sc0_get_gpc1 eq 2   # Third offense
     acl escalation_level_3 sc0_get_gpc1 ge 3   # Repeat offender
     
-    # BLOCKING RULES - Block aggressive scanners completely
+    # BLOCKING RULES - Progressive response based on threat level
-    # Only block after significant error accumulation
+    
+    # Level 4: Complete block for critical threats (50+ errors)
     http-request deny deny_status 429 if scanner_critical
     
-    # TARPIT RULES - Apply tarpit to detected scanners
+    # Level 3: Silent drop for obvious scanners and burst attacks
-    # HAProxy 3.0 uses global 'timeout tarpit' (60s) for all tarpit actions
+    # This immediately closes the connection without any response
-    # We track escalation level but all tarpits use same timeout
+    http-request silent-drop if scanner_high              # 35+ errors
-    # The escalation level helps identify repeat offenders
+    http-request silent-drop if scanner_medium burst_scanner  # 20+ errors with burst
+    http-request silent-drop if scanner_medium escalation_level_2  # Repeat medium scanner
+    http-request silent-drop if burst_scanner escalation_level_1   # Repeat burst scanner
     
-    # Apply tarpit to any detected scanner
+    # Level 2: Tarpit for medium scanners (first offense)
-    http-request tarpit deny_status 429 if scanner_low or scanner_medium or scanner_high or burst_scanner
+    # 10 second delay before closing connection
+    http-request tarpit deny_status 429 if scanner_medium escalation_level_0
+    http-request tarpit deny_status 429 if scanner_medium escalation_level_1
     
-    # Increment escalation level when we apply tarpit
+    # Level 1: Tarpit for low-level scanners
-    # This tracks how many times this IP has been tarpitted
+    # 10 second delay to slow them down
+    http-request tarpit deny_status 429 if scanner_low
+    http-request tarpit deny_status 429 if burst_scanner escalation_level_0
+    
+    # Increment escalation level when we apply any protection
+    # This tracks how many times this IP has been actioned
     http-request sc-inc-gpc1(0) if scanner_low or scanner_medium or scanner_high or burst_scanner
     
     # Note: The backend will increment sc0_get_gpc0 when it sees 400/401/403/404 responses