Tag Archives: scanning

Pen 0.32.0 released

Available here:


And also here:


Pen 0.32.0 adds tarpit functionality to the Direct Server Return mode. The purpose of tarpitting is to make network scanning harder by producing lots of false positives.

Full list of changes from 0.31.1:

151123 Released 0.32.0.

151120 Added tarpit test case to testsuite.sh.

151117 Tarpit functionality to be used with the DSR mode.

151112 pen.1: removed obsolete -S option, updated defaults for -x and -L.


Tarpit support in Pen

Pen 0.32 will have built-in tarpit support in its Direct Server Return mode. The feature is enabled by specifying an access control list against which incoming requests are matched. Matching destination addresses will make Pen do two things:

1. Reply to ARP requests to such addresses.
2. Reply to TCP SYN with SYN+ACK.

The idea behind tarpitting is to slow down network scanning by giving lots of false positives. Pen does this with very little load and without having to manage any state.

Here is an example command line.

pen -df -O “acl 1 permit” -O “tarpit_acl 1” -O “dsr_if eth1”

Let’s go through that option by option.

acl 1 permit creates an entry in access list 1 which matches IP address All other IP addresses will be rejected.

tarpit_acl 1 makes Pen use access list 1, the one with as its sole entry, to match destination addresses.

dsr_if eth1 makes Pen use eth1 as the network interface where all direct server return processing is performed. is the address and port where Pen listens for legitimate requests. They will be forwarded to the backend servers. and are the backend servers. They have web servers listening on port 80 and IP address configured on a loopback interface. See the Wiki.

Let’s try making a legitimate request.

ulric@debtest:~/Git/pen$ curl

That worked fine. Frames from us go to Pen, Pen forwards them to one of the web servers, the web server replies directly to us. In Wireshark we see:


But what happens when we try the same thing on a tarpitted address?

ulric@debtest:~/Git/pen$ curl

It just hangs. We send SYN, Pen replies with SYN+ACK, we send ACK and think that the TCP handshake is done. So we send the HTTP request, which Pen ignores. We send it again. Pen ignores it again, and so on. Here’s what that looks like in Wireshark:


Access control lists are a very flexible way to control the tarpit functionality in Pen and have it tarpit every address in a subnet (except those that shouldn’t). As an example, think of a network with the following hosts: gateway web server 1 web server 2 load balanced address

The corresponding ACL would be created like this:

acl 1 deny
acl 1 deny
acl 1 deny
acl 1 deny

Anything Pen sees that is not destined for one of these addresses will be tarpitted.