Inlab Networks : BalanceNG: Example 18 (Implementing a high available tarpit for IPv4 and IPv6 with the tarpit module)
   - Example 1
   - Example 2
   - Example 3
   - Example 4
   - Example 5
   - Example 6
   - Example 7
   - Example 8
   - Example 9
   - Example 10
   - Example 11
   - Example 12
   - Example 13
   - Example 14
   - Example 15
   - Example 16
   - Example 17
   - Example 18
   - Example 4-1
License Shop
Key Factory
Change History
OEM Systems
BalanceNG - The Software Load Balancer

The Software Load Balancer and Embeddable ADC

10 Years BalanceNG

BalanceNG certified system
Thomas-Krenn LoadBalancer
certified OEM Load-Balancers


Implementing a high available tarpit for IPv4 and IPv6 with the tarpit module

The tarpit module allows you to implement a high available tarpit for IPv4 and IPv6 with BalanceNG in parallel to any load-balancing functionality.

NOTE: The tarpit module and functionality is available with BalanceNG 3.566 and higher.

The tarpit module implements the following functionality on the "tarpit enabled" IPv4 or IPv6 networks:

  • ARP and ND6 requests are answered if the address is not represented by BalanceNG itself and if it can be proven that there is no other machine representing this address at the time the ARP or ND6 request is being received.
  • ICMP4 and ICMP6 ECHO REQUESTS are answered if received on such a virtual represented address.
  • TCP open requests on any port on such a virtual represented address are processed without any further consumption of internal memory for state information by answering with a corresponding SYN-ACK TCP packet.
  • UDP packets received on any port are logged without any further action.

The tarpit functionality may be useful - for example - for the following purposes:

  • Identifying misconfigured nodes.
  • Blocking and/or slowing down internet worms, network scans and portscans.
  • Identifying internal "snooping around" by any human or automatic functionality.
  • Notifying the system administration staff of any occurence of such events.

The following list shows the possible messages logged to the BalanceNG log and the syslog with LOG_WARNING level:

  TARPIT IPv4 ARP_REPLY for IPv4_addr sent to IPv4_addr [MAC_addr]
  TARPIT IPv4 ECHO_REPLY for IPv4_addr sent to IPv4_addr [MAC_addr]
  TARPIT IPv4 TCP_SYNACK for IPv4_addr/port sent to IPv4_addr/port [MAC_addr] 
  TARPIT IPv4 UDP_PACKET for IPv4_addr/port received from IPv4_addr/port [MAC_addr]

  TARPIT IPv6 ND6_REPLY for IPv6_addr sent to IPv6_addr [MAC_addr]
  TARPIT IPv6 ECHO_REPLY for IPv6_addr sent to IPv6_addr [MAC_addr]
  TARPIT IPv6 TCP_SYNACK for IPv6_addr/port sent to IPv6_addr/port [MAC_addr] 
  TARPIT IPv6 UDP_PACKET for Ipv6_addr/port received from IPv6_addr/port [MAC_addr]

The address information of existing and simulated addresses is kept in the session table, thus with a valid master/backup configuration and session table synchronization the tarpit functionality becomes high available automatically.

Step 1: Inserting the tarpit module into the module chain

The tarpit module needs to be inserted between the "master" and "slb" module to become available as follows:

  modules   vrrp,arp,ping,hc,master,tarpit,slb,tnat,nat,rt

Step 2: Activating the tarpit functionality for the desired networks

The directive "tarpit enable" needs to be added to the network sections that should be processed.

The following example sets up network 3 the IPv6 link local address segment for tarpit processing:

  network   3 {
            mask6 10
            real6 fe80::f001
            virt6 fe80::f002
            tarpit enable
            interface 1
  register  networks ...,3,...
  enable    networks ...,3,...

The following example shows how to set up a combined IPv4/IPv6 network for tarpit processing which is used as VRRP network at the same time:

  network   1 {
            name "local network"
            mask6 48
            real6 2001:db8:1111::2:1
            virt6 2001:db8:1111::2:0
            syncpeer 2001:db8:1111::2:2
            tarpit enable
            interface 1

Step 3: Exempting any addresses of the BalanceNG host's IP stack

If any IP address of the host running BalanceNG is within a "tarpitted" network, those addresses need to be exempted with the "arp" command. This is due the fact that BalanceNG's IP stack co-exists with the IP stack of the host OS and they are not connected by default.

This example shows how to exempt two addresses bound to the local Linux interface of the host:

  arp       fe80::20e:cff:fe6c:ba4a
  arp       ::ffff:

After setting up the second node accordingly (if needed) and a restart (e.g. with "bng restart") the tarpit is functional. Please consult the BalanceNG manual for further information and check the description of the "tarpitrealto" and "tarpittrapto" parameters.

Please contact us in case of any questions, errors or suggestions at

Copyright © 1991-2016,2017 by Inlab Networks GmbH, All Rights Reserved - Impressum - Widerrufsrecht - Sitemap - Internal