Implement progressive protection: tarpit → silent-drop → block

- Set tarpit timeout to 10 seconds for initial offenders - Use silent-drop for obvious scanners (35+ errors) and repeat offenders - Silent-drop immediately closes connection without response - Keep 429 block for critical threats (50+ errors) Protection levels: - 10-19 errors: 10s tarpit - 20-34 errors: 10s tarpit (first), silent-drop (repeat) - 35-49 errors: silent-drop - 50+ errors: 429 block - Burst attacks: 10s tarpit (first), silent-drop (repeat) Updated monitoring script to show correct status based on new logic. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-25 06:42:09 -07:00
parent 0a4995266c
commit e54b4b4afe
3 changed files with 35 additions and 20 deletions
--- a/scripts/show-tarpit-ips.sh
+++ b/scripts/show-tarpit-ips.sh
@@ -73,16 +73,20 @@ printf "@!%s show table web\n" "${PROCESS_ID}" | socat stdio "$SOCKET" 2>/dev/nu
            gpc1=${gpc1:-0}
            err_rate=${err_rate:-0}
            
-            # Determine status based on scan count
+            # Determine status based on scan count and escalation
            status=""
            if [ "$gpc0" -ge 50 ]; then
-                status="BLOCKED (critical)"
+                status="BLOCKED (429)"
            elif [ "$gpc0" -ge 35 ]; then
-                status="TARPITTED (high)"
+                status="SILENT-DROP"
            elif [ "$gpc0" -ge 20 ]; then
-                status="TARPITTED (medium)"
+                if [ "$gpc1" -ge 2 ]; then
+                    status="SILENT-DROP (repeat)"
+                else
+                    status="TARPIT 10s"
+                fi
            elif [ "$gpc0" -ge 10 ]; then
-                status="MONITORED (low)"
+                status="TARPIT 10s"
            else
                status="Normal"
            fi
@@ -100,10 +104,11 @@ printf "@!%s show table web\n" "${PROCESS_ID}" | socat stdio "$SOCKET" 2>/dev/nu
 echo
 echo "==================================================================="
 echo "Legend:"
-echo "  - Scan Count 10-19: Potential scanner (monitored/low tarpit)"
-echo "  - Scan Count 20-34: Likely scanner (tarpitted with medium delay)"
-echo "  - Scan Count 35-49: Confirmed scanner (tarpitted with high delay)"
-echo "  - Scan Count 50+:   Aggressive scanner (blocked with 429 status)"
+echo "  - Scan Count 10-19: Low scanner → TARPIT 10s delay"
+echo "  - Scan Count 20-34: Medium scanner → TARPIT 10s (1st), SILENT-DROP (repeat)"
+echo "  - Scan Count 35-49: High scanner → SILENT-DROP (immediate disconnect)"
+echo "  - Scan Count 50+:   Critical scanner → BLOCKED (429 response)"
+echo "  - Burst (5+ in 10s): → TARPIT 10s (1st), SILENT-DROP (repeat)"
 echo "==================================================================="
 echo "Note: IPs are tracked for 1 hour since last activity"
 echo
--- a/templates/hap_header.tpl
+++ b/templates/hap_header.tpl
@@ -45,6 +45,6 @@ defaults
    timeout server          10m
    timeout http-keep-alive 120s
    timeout check           10s
-    timeout tarpit          30s  # Tarpit delay for detected scanners (fixed in HAProxy 3.0)
+    timeout tarpit          10s  # Tarpit delay for low-level scanners (before silent-drop)
    maxconn                 3000
    
--- a/templates/hap_listener.tpl
+++ b/templates/hap_listener.tpl
@@ -54,20 +54,30 @@ frontend web
    acl escalation_level_2 sc0_get_gpc1 eq 2   # Third offense
    acl escalation_level_3 sc0_get_gpc1 ge 3   # Repeat offender
    
-    # BLOCKING RULES - Block aggressive scanners completely
-    # Only block after significant error accumulation
+    # BLOCKING RULES - Progressive response based on threat level
+    
+    # Level 4: Complete block for critical threats (50+ errors)
    http-request deny deny_status 429 if scanner_critical
    
-    # TARPIT RULES - Apply tarpit to detected scanners
-    # HAProxy 3.0 uses global 'timeout tarpit' (60s) for all tarpit actions
-    # We track escalation level but all tarpits use same timeout
-    # The escalation level helps identify repeat offenders
+    # Level 3: Silent drop for obvious scanners and burst attacks
+    # This immediately closes the connection without any response
+    http-request silent-drop if scanner_high              # 35+ errors
+    http-request silent-drop if scanner_medium burst_scanner  # 20+ errors with burst
+    http-request silent-drop if scanner_medium escalation_level_2  # Repeat medium scanner
+    http-request silent-drop if burst_scanner escalation_level_1   # Repeat burst scanner
    
-    # Apply tarpit to any detected scanner
-    http-request tarpit deny_status 429 if scanner_low or scanner_medium or scanner_high or burst_scanner
+    # Level 2: Tarpit for medium scanners (first offense)
+    # 10 second delay before closing connection
+    http-request tarpit deny_status 429 if scanner_medium escalation_level_0
+    http-request tarpit deny_status 429 if scanner_medium escalation_level_1
    
-    # Increment escalation level when we apply tarpit
-    # This tracks how many times this IP has been tarpitted
+    # Level 1: Tarpit for low-level scanners
+    # 10 second delay to slow them down
+    http-request tarpit deny_status 429 if scanner_low
+    http-request tarpit deny_status 429 if burst_scanner escalation_level_0
+    
+    # Increment escalation level when we apply any protection
+    # This tracks how many times this IP has been actioned
    http-request sc-inc-gpc1(0) if scanner_low or scanner_medium or scanner_high or burst_scanner
    
    # Note: The backend will increment sc0_get_gpc0 when it sees 400/401/403/404 responses