> tarpit active —— incoming connection held —— time_wasted: 4h 23m 17s —— attacker resources: consumed<span class="cursor-blink">_</span>_
A tarpit is a network service designed to deliberately slow down, stall, or waste the resources of anything that connects to it. The name comes from the La Brea Tar Pits in Los Angeles — natural asphalt pools where prehistoric animals became trapped and could not escape. A network tarpit works on the same principle: an attacker or automated tool connects, expects a normal response, and instead becomes stuck — consuming time, memory, connections, and processing power while making no progress.
Tarpits are a form of active defence — they do not just block an attacker, they impose a cost. A firewall that drops traffic is invisible to the attacker; they simply move on to the next target. A tarpit that accepts the connection and then responds infinitely slowly forces the attacker to keep that connection open, tying up a socket, a thread, and attention. At scale, a tarpit can consume enough of an attacker's resources to meaningfully degrade their scanning speed, brute-force throughput, or spam delivery rate.
This is not a new concept. Tarpits have existed since the early 2000s. What has changed is their relevance: as automated scanning, credential stuffing, and bot-driven attacks have become the dominant threat model for internet-facing services, techniques that waste attacker automation cycles have become increasingly valuable as part of a layered defence strategy.
Tarpits exploit fundamental properties of TCP — the protocol that underlies most internet communication. Understanding the mechanics requires a brief look at how TCP connections are established and maintained, and how a tarpit subverts each stage to waste the attacker's resources.
The key insight is that TCP was designed to be resilient. When a server responds slowly, the client waits — this is expected behaviour for congested networks. TCP's retransmission timers, keep-alive mechanisms, and flow control all work in the tarpit's favour: the client's operating system keeps the connection alive, consumes a socket, and ties up the attacking tool's connection slot. The attacker's software cannot easily distinguish a tarpit from a genuinely slow server.
Tarpits have evolved to target different types of attacker activity. Each type exploits the specific protocol and behavioural expectations of the attacker's tools, maximising the time and resources wasted per connection.
| Tarpit Type | How It Works | What It Targets |
|---|---|---|
| TCP Tarpit (LaBrea-style) | Responds to SYN packets on unused IP addresses or ports with a SYN-ACK, accepting the connection. Then uses TCP window size manipulation to hold the connection open indefinitely, sending minimal or zero data. Some implementations respond on every unused IP in a subnet, creating the illusion of thousands of live hosts. | Port scanners (Nmap, Masscan, ZMap). Network reconnaissance. Worm propagation. Any tool that initiates TCP connections to discover services. Massively slows subnet-wide scanning by trapping connections on every non-existent host. |
| SSH Tarpit (Endlessh-style) | Listens on port 22 (or wherever SSH brute-force traffic is directed). Sends an infinite SSH banner — the SSH protocol allows the server to send a banner of arbitrary length before authentication begins. The tarpit sends one line every 10–30 seconds, forever. The SSH client waits for the banner to complete before proceeding, so the brute-force tool cannot even attempt a password. | SSH brute-force bots. Credential stuffing against SSH. Automated SSH scanners. Consumes one connection slot per bot for hours. At scale, a single tarpit can hold hundreds of bot connections simultaneously. |
| HTTP Tarpit | Accepts HTTP connections and responds with valid headers but delivers the body extremely slowly — one byte at a time, with delays between each byte. Alternatively, sends chunked transfer-encoding responses that never complete. Some implementations serve infinite HTML containing fake links and form fields to trap web crawlers and scraping bots. | Web scrapers. Vulnerability scanners targeting web applications. Content theft bots. Credential stuffing against web login forms. Automated reconnaissance against web infrastructure. |
| SMTP Tarpit | Accepts SMTP connections from mail servers and responds to each SMTP command (EHLO, MAIL FROM, RCPT TO, DATA) with deliberate delays — typically 15–60 seconds per response instead of the normal sub-second timing. Some implementations add increasing delays for each recipient address in a single session. | Spam bots and bulk mailers. Email harvesting tools. Worms that propagate via email. Slows spam delivery to a crawl — a spammer that can normally deliver thousands of messages per minute is reduced to single digits. |
| Application-Layer Tarpit | Mimics a specific application — a database, API endpoint, or management interface — and responds to protocol-correct queries with valid but infinitely slow responses. May include fake data that appears legitimate to automated tools. | Database scanners. API enumeration tools. Management interface brute-forcers. Targets sophisticated attackers who scan for specific services rather than conducting broad port sweeps. |
Endlessh, created by Chris Wellons in 2019, is the tool that brought tarpits back into mainstream security discussion. It is elegantly simple: it listens on a TCP port (typically 22), and when a client connects, it sends an infinite SSH banner — one random line every 10 to 30 seconds. The SSH protocol specification (RFC 4253) states that the server may send a banner before the version string, and the client must wait for the version string before proceeding. Endlessh exploits this by never sending the version string. The client waits. And waits. And waits.
The results are remarkable. On any internet-facing server, SSH brute-force attempts are constant — typically hundreds to thousands per day. An Endlessh deployment on port 22 routinely traps individual bots for hours at a time. A single Endlessh instance running on modest hardware can hold thousands of connections simultaneously, consuming negligible server resources (each trapped connection uses approximately 120 bytes of memory) while consuming significant resources on the attacker's side.
When deploying Endlessh: ensure your real SSH service is moved to a non-standard port and protected by firewall rules that restrict access to trusted IP ranges or VPN only. Use AllowUsers or AllowGroups directives in sshd_config. Enable key-based authentication only and disable password authentication. Rate-limit connections to the real SSH port with iptables or nftables. The tarpit protects port 22 — but your actual SSH access must be hardened independently.
LaBrea, created by Tom Liston in 2001, is the tool that defined the network tarpit concept. It operates at the TCP/IP level and is designed to answer connection attempts to unused IP addresses in a network. LaBrea monitors ARP requests on the local network — when it detects a request for an IP address that no real host answers, it responds on that address's behalf, completing the TCP handshake and then holding the connection open using TCP window size manipulation.
The effect is powerful: a scanner probing a /24 subnet that contains 50 real hosts and 200 unused addresses will find all 254 addresses responding. The 200 LaBrea-answered connections trap the scanner, consuming its connection pool. Worms that propagate by scanning for vulnerable hosts are particularly affected — instead of finding real targets, they become mired in tarpitted connections that never complete, dramatically slowing propagation speed.
LaBrea's approach is aggressive and best suited to environments with large unused IP spaces — data centres, DMZ networks, or honeypot deployments. It is less suitable for busy internal networks where ARP dynamics are complex and false positives could affect legitimate traffic. Modern alternatives like iptables TARPIT targets achieve similar results using netfilter rather than ARP manipulation, offering more granular control over which connections are tarpitted.
HTTP tarpits exploit the fact that web clients — including automated scanners, scrapers, and bots — expect servers to deliver content. An HTTP tarpit accepts the connection, sends valid HTTP headers indicating a successful response, and then delivers the body at an agonisingly slow pace. The client has already received the 200 OK status and content-type header, so it waits for the body to complete rather than timing out and moving on.
Some HTTP tarpits take a more creative approach. They generate infinite HTML pages containing fake links, form fields, hidden directories, and random text. Web crawlers and vulnerability scanners follow these links, discovering ever more pages to scan — each of which is itself a tarpit generating more fake content. The scanner becomes trapped in an infinite recursion of non-existent pages, consuming its queue, memory, and time.
| HTTP Tarpit Tool | Approach | Best For |
|---|---|---|
| Slowloris (defensive variant) | Sends HTTP response headers one byte at a time with long delays between bytes. Never completes the response. Keeps the client connection open and waiting. | Web scanners, directory brute-forcers (Gobuster, Dirbuster, ffuf), automated crawlers. Any tool that opens many HTTP connections to enumerate content. |
| Infinite page generators | Serves dynamically generated HTML with random links, text, and form elements. Every link leads to another generated page. Pages include robots.txt-style hints that encourage crawlers to explore deeper. |
Web scrapers, content theft bots, AI training crawlers, and SEO spam bots. Particularly effective against tools that follow links and index content. |
| Tar pit via reverse proxy | A reverse proxy (Nginx, Apache) rule that identifies scanner-like behaviour (rapid requests, known scanner user-agents, requests for common vulnerability paths) and redirects matching traffic to a local tarpit service. | Integration with production web infrastructure. Allows legitimate traffic to proceed normally while scanner traffic is silently redirected to the tarpit. |
Tarpits are not a replacement for firewalls, intrusion detection, patching, or any other security control. They are a force multiplier that adds a unique capability to a layered defence: the ability to impose a cost on attackers.
Tarpits are effective against automated, high-volume attacks — but they have clear limitations that must be understood to deploy them effectively.
| Limitation | Detail | Mitigation |
|---|---|---|
| Sophisticated attackers detect them | A skilled human attacker will recognise a tarpit by its behaviour — anomalously slow responses, infinite banners, or connections that never complete. Sophisticated scanning tools like Nmap can be configured with aggressive timeouts that limit tarpit effectiveness. | Tarpits are most effective against automated bots and commodity tools. For sophisticated attackers, combine tarpits with other deception technologies (honeypots, honeytokens) that provide detection value even if the tarpit itself is identified. |
| Connection limits exist | The tarpit server has a finite number of sockets and file descriptors. Under extreme scanning volumes (millions of connections), the tarpit itself may exhaust its connection capacity. Kernel tuning is essential for high-volume deployments. | Increase file descriptor limits (ulimit -n), tune net.ipv4.tcp_max_syn_backlog and net.core.somaxconn. Deploy dedicated tarpit hosts for high-volume internet-facing deployments. Use connection rate limiting at the firewall to manage inbound volume. |
| No protection against application-layer attacks | A tarpit slows connection establishment and data exchange. It does not inspect application-layer payloads, detect exploits, or block malicious content. An attacker who already has valid credentials or an exploit will not be meaningfully delayed. | Tarpits complement but do not replace WAFs, IDS/IPS, authentication controls, and vulnerability patching. They are a delay mechanism, not a detection or prevention mechanism. |
| Legitimate traffic can be affected | If tarpits are deployed carelessly — for example, tarpitting a port that legitimate clients occasionally connect to — real users will experience the same delays. Misconfigured LaBrea-style tarpits on busy internal networks can interfere with ARP resolution. | Deploy tarpits only on ports and addresses where legitimate traffic does not occur. Use firewall rules to whitelist known legitimate sources before tarpit rules. Test thoroughly in non-production environments before deploying. |
| Distributed attackers are less affected | A botnet scanning from thousands of IP addresses is trapping one connection per bot — but has thousands more available. The tarpit consumes resources on individual bots but may not meaningfully slow the overall campaign. | Tarpits are most effective when combined with IP reputation, rate limiting, and geographic filtering that reduce the volume of inbound scanning before it reaches the tarpit. |
As penetration testers, we encounter tarpits during external engagements. A well-deployed tarpit is immediately recognisable to an experienced tester — but it is a signal that the organisation takes active defence seriously, and it forces the tester to adjust their approach.
| Deployment | Tool | Configuration Guidance |
|---|---|---|
| SSH tarpit on internet-facing servers | Endlessh | Move real SSH to a non-standard port, restrict by firewall to trusted IPs. Deploy Endlessh on port 22. Set MaxClients 4096 for high-volume environments. Monitor logs for trapped connection volume and duration — this is your free threat intelligence feed. |
| Common port tarpitting | iptables TARPIT target | Apply TARPIT rules to ports you do not use but attackers commonly scan: 23 (Telnet), 445 (SMB), 3389 (RDP), 1433 (MSSQL), 3306 (MySQL), 5900 (VNC). Ensure rules are ordered after ACCEPT rules for legitimate services. |
| Web application scanner trapping | HTTP tarpit behind reverse proxy | Configure your reverse proxy to identify scanner behaviour (known user-agents, rapid request rates, requests for /.env, /wp-admin, /phpmyadmin) and redirect matching traffic to a tarpit service. Legitimate users are unaffected. |
| DMZ/honeypot network | LaBrea or iptables TARPIT | Deploy across unused IP addresses in DMZ subnets. Every unused address becomes a trap. Scanners probing the DMZ find dozens of apparent hosts, all of which are tarpits. Real services are hidden among the noise. |
Tarpits are a defensive technique that deliberately slows, stalls, and wastes the resources of attackers by accepting their connections and responding infinitely slowly. They exploit fundamental properties of TCP, SSH, HTTP, and SMTP to trap automated tools in connections that consume attacker resources while costing the defender almost nothing.
They are not a silver bullet. They do not replace firewalls, patching, authentication controls, or monitoring. They are most effective against automated, high-volume attacks — the SSH brute-force bots, port scanners, web scrapers, and spam engines that constitute the background radiation of internet-facing infrastructure. Against these threats, a single Endlessh instance or a set of iptables TARPIT rules provides a continuous, zero-maintenance defence that imposes real cost on attackers.
In a threat landscape dominated by automation, any technique that wastes attacker automation cycles is a net positive for the defender. Tarpits turn unused IP addresses and unused ports from dead space into active defence — and the prehistoric animals that wandered into the La Brea Tar Pits would tell you, if they could, that sometimes the most effective trap is the one you walk into without knowing it.
Our external penetration testing engagements identify exposed services, scan your attack surface the way an attacker would, and recommend defensive measures — including active defence techniques like tarpits — that reduce your exposure and impose costs on adversaries.