Tarpit is the process of delaying the incoming requests coming from those clients who are identified as suspicious. It intentionally delays handling of incoming requests from suspicious clients, and slows down and drops requests based on their risk scores or any other malicious activities, such as attacks for which Follow Up Action is configured as Tarpit Client.
The Barracuda Web Application Firewall puts suspicious and bad clients into Tarpit in the following cases:
- The risk score of the client has crossed the suspicious value.
- An attack is detected for which Follow Up Action is configured as Tarpit Client under Action Policy.
A client is considered to be suspicious when their risk score crosses the default value of 60, or when it performs any malicious activity like an attack. If risk score crosses 80, it is considered to be a BOT or a BAD client.
When the client is put into Tarpit, the configured number of active and backlog requests are served by the Barracuda Web Application Firewall. If the number of requests (other than configured) coming for the same client increases, they are dropped in Tarpit. The client should remain in Tarpit until the inactivity timeout duration configured is met.
Configure Tarpit for a Client
- Go to the SECURITY POLICIES > Tarpit Client page.
- In the Backlog Requests Limit box, specify number of requests that should be held in a backlog and are served from a tarpitted client.
- Values: 0 to 100
- Recommended: 50
- In the Tarpit Inactivity Timeout box, specify the time in seconds for idle timeout, after which the client is removed from Tarpit.
- Values: 300 to 36000 secs
- Recommended: 300
- In the Tarpit Delay Interval box, specify the tarpit delay interval for the client that is in the tarpit. When the tarpit delay interval is set, the backlog number of requests is delayed for that interval. For example, if the Tarpit Delay Interval is configured as 20 seconds and the backlog as 50 number of requests, and if the client is in the tarpit, then 50 requests will be delayed for 20 seconds. In other words, 50 backlog requests will be sent to the server after 20 seconds only.
- Values: 10 secs