IDS Rabbit Hole
Distracted from real tasks, I've spent about 3 hours looking for an HTTP tarpit I can put on my server to attempt to curb abuse scanning.
I noticed a flurry of web logs fill my screen as I watched for other things. A bevy of Wordpress PHP attempts. They were all dealt with quickly, but a wave of frustration washed over me. This is a bit of what I noticed in a previous mention that the intrusion detection systems see them, but can't stop them.
In the past, I've played with honeypots and tar pits to try to keep abuse at bay. A honeypot is usually used to gather information for abuses, typically offering seemingly realistic (if not real) responses, and later analysis will use the gathered details to work on future prevention. A tar pit is used to deter abuse by slowing a system down. I use a tar pit on my mail server. It will accept a connection and then pause for two seconds before continuing without further planned interruption. The legit mail servers will endure the delay. For the abusers, though, it seems that time is money and they'll surrender the connection instead of wait to emit their garbage.
I thought I could try to do the same on the HTTP servers, perhaps causing the abuse to slow or stop as the scripted flurry might slow down as a sequence of attempts might wait for the previous to stop. I found this promising HTTP Tarpit project on GitHub (https://github.com/msigley/PHP-HTTP-Tarpit) that offers a few different ways to annoy the scanners, including just being slow, spewing random garbage, filling their day with endless redirection, and some other things. I liked it enough that I thought I might give it a whirl.
The problem is that not many of my servers run PHP. This started my rabbit hole.
I thought maybe to set each server with its own. I thought also to set up one tar pit server and add a reverse proxy to each server. I thought about providing a FAAS function to do the same, offering an opportunity to avoid resource starvation in a single container. If I was going to consider a different tar pit, I started thinking of different languages and frameworks to use, and different features I might want. Maybe instead of random garbage, I could entertain concepts of delivering well-formatted, but never ending, HTML content. A huge table with random data in it seemed easier than coming up with meaningful looking content. I tossed around maybe leveraging my usually idle LLM to spew out stuff.
After a few hours, I figured I'd spent more time reading and poking than my server had noticing the requested files don't exist and returning the 404s that should let the scanners know there's no (basic) Wordpress site on my server.
So I thought I'd make a quick note acknowledging that I'd been put in a tar pit, and try to remember to avoid jumping in again in the future.