Center for Measurement and Analysis of Network Data

Home | News | People | Projects | Papers | Data | Software : Degreaser

Degreaser is a tool to detect network tarpits, also known as "sticky honeypots," via active probing/fingerprinting. Currently, degreaser can reliably detect instances of LaBrea and iptables tarpit. Degreaser is currently under active development; please contact us for details or more information.


Among available network security defenses is the class of deceptive network strategies. More advanced deception includes not only providing a believable target, but actively influencing the adversary through deceit. Degreaser permits detection of network tarpits. We wish to understand how tarpits influence network measurement studies, and advance the realism of current network tarpits, thereby raising the bar on tarpits as an operational security mechanism.


  • Degreaser: A network scanning tool to detect tarpits.
  • Degreaser-iptables: A set of iptables-modules used to detect and avoid network tarpits.




We periodically probe large portions of the IPv4 Internet in a randomized fashion. These probes involve establishing the TCP three-way handshake (e.g. sending TCP SYN and SYN-ACK packets), terminating the TCP connection with a FIN, sending upto 19 bytes of data, and performing TCP window probing. While the exact sequence of probe packets varies (see our ACSAC paper for the full algorithm), in the common case we send only a single packet to a given IP address, and at most six packets. If you have received a degreaser probe from us and do not wish to be probed, please contact us with your netblock and we will add you to our do-not-probe list.
Center for Measurement and Analysis of Network Data