One of the advantages of having a rotating graveyard schedule (two weeks of 10 PM shifts, followed by two months of normal living) is that quiet nights allow for copious amounts of time to muck around on the Internet. One topic that’s piqued my interest over the last few days is tarpitting. Purposefully delaying responses seems a little more interesting than strictly rate limiting; it’s a little more of a retaliatory attitude, without causing any damage at the other end of the connection. Most of the writing I’ve found related to the idea is focused on lower-layer implementation (e.g. the TARPIT iptables module) or SMTP, so I decided to roll my own for HTTP services.
It’s easy enough to build an artificial delay into requests using the OpenResty stack (the Lua Nginx API provides ngx.sleep(), which relays on timers, so there’s no additional CPU load); the trick was figuring out the logic of when to delay, and how long. I came up with a stepwise system that allows for a baseline request rate, and introduces a delay after a predefined threshold is met. This delay is then increased if requests continue, scaling linearly. Under the hood, the request state is stored using a shared dictionary, using the client address and the request URI as the key. This allows for a client to be tarpitted against a single resource (e.g. login pages, expensive dynamic resources, etc) without being bogged down elsewhere. Nginx’s event processing model means that we can stick a number of requests on hold without blocking incoming requests from different clients for the same resource. The module itself is simple enough, using the shm zone to store JSON objects tracking a client’s state:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 |
local function _do_tarpit(t) ngx.sleep(t) ngx.exit(418) -- teapot, tarpit, same thing end local function _step_down(premature, key, reset) local tarpit = ngx.shared.tarpit local res = tarpit:get(key) local t = cjson.decode(res) ngx.update_time() -- reduce the state if the key hasnt been touched in 'delay' seconds if ((ngx.now() - t.mostrecent) > reset) then if (t.state > 0) then t.state = t.state - 1 end t.statestart = ngx.now() t.staterequests = 0 tarpit:set(key, cjson.encode(t)) end -- keep looping this until we've decremented our state to 0 if (t.state > 0) then ngx.timer.at(reset, _step_down, key, reset) end end -- request_limit: how many requests can be sent before the delay is increased -- reset: how long in seconds until the state is reset -- delay: initial time to stall the request function _M.tarpit(request_limit, reset, delay) ngx.update_time() local _to_tarpit = false local tarpit = ngx.shared.tarpit local client = ngx.var.remote_addr local resource = ngx.var.uri local key = client .. ":" .. resource if not tarpit then ngx.exit(ngx.OK) -- silently bail if the user hasn't setup the tarpit shm end -- TODO: look into lua-resty-lock local t = {} local res = tarpit:get(key) if not res then t.staterequests = 0 t.state = 0 t.statestart = ngx.now() t.mostrecent = ngx.now() else t = cjson.decode(res) end -- mark this request t.staterequests = t.staterequests + 1 t.mostrecent = ngx:now() -- figure out if we need to tarpit this request if (t.staterequests > request_limit or t.state > 0) then _to_tarpit = true end -- do we need to bump states? if (t.staterequests > request_limit) then t.state = t.state + 1 t.statestart = ngx.now() t.staterequests = 0 -- start the state decrement counter -- we only need this to run after the first state bump if t.state == 1 then ngx.timer.at(delay, _step_down, key, reset) end end -- save it up and send em to the grave tarpit:set(key, cjson.encode(t)) if (_to_tarpit) then _do_tarpit(delay * t.state) end end |
A lot of this is hardcoded (like the response status, the dictionary key), and the possibility for a race condition does exist (shared dictionaries are locked during read/write operations, but the small amount of work done by the module could allow for a separate access from a different request to write to the shm before the tarpit function completes; I’m planning on using lua-resty-lock to fix that), but so far testing has looked solid. Implementation is very straightforward:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
http { lua_shared_dict tarpit 10m; } server { location /login { # or whatever resource you want to protect access_by_lua ' local t = require "tarpit" t.tarpit( 5, -- request limit 5, -- reset timer 1, -- delay time ) '; } } |
A shared zone called ‘tarpit’ must be setup, otherwise the module will silently bail (by exiting out of the current phase with ngx.OK). The public function of the module (tarpit()) takes three parameters:
- Number of requests allowed before moving to the next state
- Time to decrement the state counter
- How long requests should be delayed initially
The module uses a state to determine if the request should be tarpitted; state 0 adds no artificial delay, while positive-integer states will tarpit the request n number of seconds, multiplied by the current state, where n is the third param provided to the function. So, in the example above, the first five requests to a resource will be handled as normal; the next five will have a delay of 1 second added, the next five will be delayed by 2 seconds, etc. If no requests are received within 5 seconds, the state will decrement, and the state counter will reset to 0.
While researching this I didn’t find much else in the way of HTTP tarpits. The GoLang http-tarpit project functions as a more traditional tarpit, by slowly feeding data back to the client to the hold the connection open; however, this prevents the daemon from forwarding or handling legitimate requests. My solution is an alternative from a true tarpit in the academic sense, but it functions as an effective deterrent to brute force solutions and integrates nicely into an existing, robust stack, rather than living solely as a honeypot. The module is available on GitHub; I’ll be making tweaks for a while (I’ve still got another week left on graveyard).
Update: I took another look at creating a more traditional tarpit with the OpenResty stack, and it seems pretty easy. From what I can tell, the best analogy to a TCP tarpit would be to send a response with a very large Content-Length header, and slowly dribble response characters to the client (this would essentially function as a reverse Slowloris attack). OpenResty’s ngx.sleep() and ngx.flush() make this trivial inside of any content phase handler:
|
1 2 3 4 5 6 7 |
local length = 1000 ngx.header["Content-Length"] = length while true do ngx.print("\x00") -- say whatever you want here, doesn't matter ngx.flush() ngx.sleep(5) -- should be short enough to prevent a client timeout end |
This code block can replace the content in the existing _do_tarpit() function, since the state mechanism would still allow for a small number of legitimate requests to be passed through.
One thought on “Graveyard Tarpittin’”