10. Implementing a high available tarpit for IPv4 and IPv6 with the tarpit module

The tarpit module allows you to implement a high available tarpit for IPv4 and IPv6 with BalanceNG in parallel to any load-balancing functionality.

The tarpit module and functionality has been introduced with BalanceNG 3.566. We recommend to add the tarpit module at the very last step, if all of the “normal” load-balancing functionality is already working as expected.

The tarpit module implements the following functionality on the “tarpit enabled” IPv4 or IPv6 networks:

  • ARP and ND6 requests are answered if the address is not represented by BalanceNG itself and if it can be proven that there is no other machine representing this address at the time the ARP or ND6 request is being received.
  • ICMP4 and ICMP6 ECHO REQUESTS are answered if received on such a virtual represented address.
  • TCP open requests on any port on such a virtual represented address are processed without any further consumption of internal memory for state information by answering with a corresponding SYN-ACK TCP packet.
  • UDP packets received on any port are logged without any further action.

The tarpit functionality may be useful – for example – for the following purposes:

  • Identifying misconfigured nodes.
  • Blocking and/or slowing down internet worms, network scans and portscans.
  • Identifying internal “snooping around” by any human or automatic functionality.
  • Notifying the system administration staff of any occurence of such events.

The following list shows the possible messages logged to the BalanceNG log and the syslog with LOG_WARNING level:

TARPIT IPv4 ARP_REPLY for IPv4_addr sent to IPv4_addr [MAC_addr]
TARPIT IPv4 ECHO_REPLY for IPv4_addr sent to IPv4_addr [MAC_addr]
TARPIT IPv4 TCP_SYNACK for IPv4_addr/port sent to IPv4_addr/port [MAC_addr]
TARPIT IPv4 UDP_PACKET for IPv4_addr/port received from IPv4_addr/port [MAC_addr]

TARPIT IPv6 ND6_REPLY for IPv6_addr sent to IPv6_addr [MAC_addr]
TARPIT IPv6 ECHO_REPLY for IPv6_addr sent to IPv6_addr [MAC_addr]
TARPIT IPv6 TCP_SYNACK for IPv6_addr/port sent to IPv6_addr/port [MAC_addr]
TARPIT IPv6 UDP_PACKET for Ipv6_addr/port received from IPv6_addr/port [MAC_addr]

The address information of existing and simulated addresses is kept in the session table, thus with a valid master/backup configuration and bngsync session table synchronisation the tarpit functionality becomes high available automatically.

Step 1: Inserting the tarpit module into the module chain

The tarpit module needs to be inserted between the “master” and “slb” module to become available as follows:

...
modules   vrrp,arp,ping,hc,master,tarpit,slb,tnat,nat,rt
...

Step 2: Activating the tarpit functionality for the desired networks

The directive “tarpit enable” needs to be added to the network sections that should be processed.

The following example sets up network 3 the IPv6 link local address segment for tarpit processing:

...
network   3 {
          mask6 10
          real6 fe80::f001
          virt6 fe80::f002
          tarpit enable
          interface 1
}         
...
register  networks ...,3,...
enable    networks ...,3,...
...

The following excerpt shows how to set up a combined IPv4/IPv6 network for tarpit processing which is used as VRRP network at the same time:

...
network   1 {
          name "local network"
          addr 172.17.2.0
          mask 255.255.255.0
          real 172.17.2.101
          virt 172.17.2.100
          mask6 48
          real6 2001:db8:1111::2:1
          virt6 2001:db8:1111::2:0
          syncpeer 2001:db8:1111::2:2
          tarpit enable
          interface 1
}
...

Step 3: Exempting any addresses of the BalanceNG hosts IP stack

If any IP address of the host running BalanceNG is within a “tarpitted” network, those addresses need to be exempted with the “arp” command. This is due the fact that BalanceNG’s IP stack co-exists with the IP stack of the host OS and they are not connected by default.

This excerpt shows how to exempt two addresses bound to the local Linux interface of the host:

...
arp       fe80::20e:cff:fe6c:ba4a
arp       ::ffff:172.17.2.80
...

After setting up the second node accordingly (if needed) and a restart (e.g. with “bng restart”) the tarpit is functional. Please consult the BalanceNG manual for further information and check the description of the “tarpitrealto” and “tarpittrapto” parameters.