tarpit, anybody?

Jeffrey 'jf' Lim jfs.world at gmail.com
Sun Aug 3 09:13:31 MSD 2008

On Fri, Aug 1, 2008 at 9:18 PM, Calomel <nginxdeletethis at calomel.org> wrote:

> Jeffery,

thanks, but that's  Jeff-r-e-y, actually.

> I am not sure if Nginx is the right place for a tarpit. Tarpitting on
> the firewall may be a better solution so nginx can just handle web
> traffic.
> Iptables allows you to tarpit connections easily, but you will have to
> manage a table of clients you want to slow down. The following rule
> will tarpit all connections to port 80.
> iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT

Let me describe the context of the application of tarpitting so that it
becomes clear. I am looking to tarpit only certain connections based on
certain criteria (otherwise, of course, why would I even bother to run and
use nginx to tarpit, right?).

I intend to use this to tarpit persistent blog spam. I have captchas that
work - but still, I'd like to be able to punish these guys - and drive them
out of even my logs.

> PF (openbsd) does not yet have a tarpit ability for standard tcp
> connections. Spamd will only work to tarpit mail servers.
> There are also third party apps like LeBrea or HoneyPot that will do
> what you want.

I'm not so sure LaBrea, or HoneyPot can tarpit selectively. Or even if they
do, whether they can work in concert with an actual web server (so that they
can pass the legal connections onward, and things will still work).


In the meantime, here is your PSA:
"It's so hard to write a graphics driver that open-sourcing it would not
-- Andrew Fear, Software Product Manager, NVIDIA Corporation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx/attachments/20080803/2aef8403/attachment.html>

More information about the nginx mailing list