Hi all-

Although I see my tarpit rules are matching, and appear to be working, I have just one little niggle I was hoping somebody could clear-up for me:

If a tarpitted connection is a fully established TCP connection like any other with the exception that the window size is dropped to zero making it useless, why don't I see any evidence of these connections with the other established ones in the "Connections" tab in Winbox? The expected behaviour I'd have thought would be to see these registered in the connections list if they were established, window size zero or not. Thanks in advance-

I don't think these connection are actually established from the router's point of view, which would mean a waste of resources for tracking those connections. They just get an momentarily generated response to induce the zero window behavior and are forgotten.

It is exactly what the tarpit tries to achieve: block the attackers resources until their exhaustion in useless connections (which he needs to track) and keep your own resources available to prevent DoS. Tracking them would fail to reach this goal, exposing your router's resources to the attacker.

And during a flood attack, do you really need to see hundreds or thousands of established connections (eating up router memory), hiding the few real established ones in an endless list? Is there any other benefit than satisfying your curiosity?

I don't think these connection are actually established from the router's point of view, which would mean a waste of resources for tracking those connections. They just get an momentarily generated response to induce the zero window behavior and are forgotten.

It is exactly what the tarpit tries to achieve: block the attackers resources until their exhaustion in useless connections (which he needs to track) and keep your own resources available to prevent DoS. Tracking them would fail to reach this goal, exposing your router's resources to the attacker.

And during a flood attack, do you really need to see hundreds or thousands of established connections (eating up router memory), hiding the few real established ones in an endless list? Is there any other benefit than satisfying your curiosity?

Just wanted to ensure that Tarpit was actually doing something. Seemed counter-intuitive that if the router is holding the connection- which must necessarily be in an established state- that I should also see it in the list of connections. When I didn't, it lead me to wonder: "Hmmmm, is Tarpit actually working..." If it wasn't, then would want to re-plan my defenses away from using Tarpit.

I went over the organization of my rules and all seemed in order, so figured I'd ping this forum as it's not short a a few Mikrotik guru!

Thanks-

Tarpit actually works, but there is a draw back. I used it but somehow it failed to actually achieve its goal in the real world.
While an attacker sends a SYN to your router, if you have a drop rule, no ACK will be sent back, and after a timeout (in the order of seconds, with maybe a few retries), that port will probably be abandoned as a target (there is usually some kind script running which does this).
Now if you use tarpit, the connection gets established, and until it is actively separated it will hang in there, generating some traffic: ACK with 0 windows, followed by a new window proposal, then again the 0 window ACK and so on. If the attackers script does not take any active measures to recognize this situation, the connection will take some 15 minutes to die out.
IMHO, a drop rule actually does a better job in the usual open port scan situation, compared to tarpit, since it will actually hide the machine, instead of confirming its presence.

It's like the difference between being a poison arrowhead frog (bright and colorful, DARING you to touch it) and a chameleon (hiding).

I kind of like the poison animal approach - why hide when you can make it quite plain that you're not worth bothering over?

Now the wheels are turning in my head - I wonder if the scanning/botnet community maintains their own "do not scan" list - not for politeness, but because of known high-security networks that will get their operation detected and blacklisted... It would be nice to get one's organization's IP ranges into such lists.

I kind of like the poison animal approach - why hide when you can make it quite plain that you're not worth bothering over?

Yes, it has a nice ring to it.
It just depends how much the additional traffic related to the tarpit bothers you. If it is of no concern, then venom is the solution

What do you think of this second answer regarding tarpit operation?
It's discussed in regards to a Linux-based server/host and not an appliance such as a Mikrotik router, but the concept is pretty much the same....

http://serverfault.com/questions/611063 ... -downsides

This really makes me want to implement it on my own server - even though I know it's not going to trap much (pretty low-traffic host)