What’s better than preemptively protecting your applications? How about wasting the resources and time of those trying to attack you?
Attackers use IP addresses to execute malicious activities across networks. They often exploit IPs to launch coordinated attacks such as Distributed Denial of Service (DDoS), where thousands of compromised devices flood a target with traffic to overwhelm its resources. IP addresses can also probe systems for vulnerabilities, enabling attackers to exploit weak points and gain unauthorized access.
Cybercriminals frequently employ IP spoofing to mask their identity, making their activities harder to trace while infiltrating systems or spreading malware. Additionally, compromised IPs can be used to control botnets, deploy phishing campaigns, or exfiltrate sensitive data, all while disguising the origin of their actions.
Today, we will show you how to protect your applications from these attackers exploiting IPs by installing the CrowdSec Security Engine and wasting their resources by sending them to a SpiderTrap Sinkhole where we will trap them in a controlled environment and continually send them fake data. This will deplete their bandwidth and computational power and increase their operational cost.
If you prefer a visual walk-through rather than an article, you can also watch this tutorial on our YouTube.
The set up
We will have a Debian box with Nginx and nothing else installed. It is a very pure and basic setup with a webserver running.
Step 1 – Installing the Security Engine
The first thing we need to do is make sure that we protect our system. We will do this by installing a CrowdSec Security Engine which will be able to detect malicious behaviors in the system’s logs and then, block the IP that is performing the behavior.
If you’re new to CrowdSec, the Security Engine is an open source software designed to detect and block malicious actors from accessing your systems. By analyzing logs and HTTP requests with predefined threat patterns known as scenarios, the Security Engine provides powerful protection. CrowdSec offers three core products: the Security Stack (which includes the Security Engine), Blocklists, and Cyber Threat Intelligence. In today’s tutorial, we’ll focus solely on the Security Stack.
To install it, navigate to doc.crowdsec.net and click on the guide specific to your operating system. For Debian, use:
curl -s https://install.crowdsec.net/ | sudo sh
sudo apt install crowdsec
Once installed, the Security Engine’s auto-acquisition mode will detect and configure monitoring for running services, such as Nginx. This ensures that the Security Engine is ready to analyze log files for attacks.
Step 2 – Setting up a firewall Remediation Component
Now we must block the attackers. We will do this by installing a Firewall Remediation Component which you can grab from https://doc.crowdsec.net/u/bouncers/firewall.
Install the CrowdSec firewall Remediation Component based on iptables.
sudo apt install crowdsec-firewall-bouncer-iptables
After we have installed the firewall Remediation Component, we will install iptables. For those not familiar with iptables, they are commonly used firewall tools in Linux systems for managing and controlling network traffic. iptables work by configuring the rules that dictate how packets of data are handled as they enter, pass through, or leave your server.
Configure iptables using the following command line.
sudo vim /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
Change the mode to ipset.
mode: ipset
Create the necessary IP sets.
sudo ipset create crowdsec-blacklist hash:ip
sudo ipset create crowdsec6-blacklist hash:ip family inet6
Restart the firewall remediation component.
sudo systemctl restart crowdsec-firewall-bouncer
And now, verify the configuration.
ipset list
We’d like to not only block the attacker’s IP but do a sneaky maneuver (like we mentioned in the introduction) that will push them to a sinkhole where they will just be getting fake data and wasting their resources. So let’s see how to do just that.
Step 3 – Setting up a SpiderTrap sinkhole application
Now, we will set up a sinkhole application on our Debian box.
The purpose of a sinkhole application is to redirect malicious traffic from its intended target. It is often used for analyzing or mitigating attacks, such as botnets, DDoS attacks, or malware communication. It typically mimics legitimate web environments but is tailored to ensnare bots, making them follow fake links, interact with fake services, or loop through endless processes.
First, change to the preferred install location we use /opt/cd /opt/. Begin by cloning the SpiderTrap repository.
git clone https://github.com/adhdproject/spidertrap
Install Python 3 (if not already installed).
sudo apt install python3
Change ownership of the SpiderTrap directory to a non-root user (e.g., www-data).
sudo chown -R www-data:www-data /opt/spidertrap
Create a systemd service for SpiderTrap.
sudo vim /etc/systemd/system/spidertrap.service
And now add the following content.
[Unit]
Description=SpiderTrap Sinkhole Application
After=network.target
[Service]
User=www-data
ExecStart=/usr/bin/python3 /opt/spidertrap/spidertrap.py
Restart=always
[Install]
WantedBy=multi-user.target
Reload systemd and start the service.
sudo systemctl daemon-reload
sudo systemctl start spidertrap.service
sudo systemctl enable spidertrap.service
Verify the application is running on port 8000.
sudo netstat -tuln | grep 8000
Redirecting attackers to the sinkhole
Now, configure iptables to redirect malicious traffic to SpiderTrap.
Append a NAT rule to redirect traffic.
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -m set --match-set crowdsec-blacklist src -j REDIRECT --to-port 8000
Block direct access to the sinkhole.
sudo iptables -I INPUT -p tcp --dport 8000 -m conntrack --ctstate NEW -j DROP
And verify the rules.
sudo iptables -t nat -L
sudo iptables -L
Step 4 – Now we test
Use an attacking machine to simulate malicious traffic, in this example we will use the tool FeroxBuster which is a crawler designed to find directory structures by examining the response sent by the web server.
Note: Please use the following instructions on the infrastructure you own or have explicit consent to do this from the owner.
First, on the attacking machine, we will create a testing directory using mktemp.
cd $(mktemp -d)
Next, we will download the tool FeroxBuster and a wordlist.
wget -O- -q https://github.com/epi052/feroxbuster/releases/download/v2.11.0/x86_64-linux-feroxbuster.tar.gz | tar xz
chmod +x feroxbuster
wget -q https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/Web-Content/common.txt
Time to launch the tool and enumerate our webserver.
./feroxbuster -w ./common.txt -u http[s]:// -x php
At first, you will see the webserver will be responding with 404 response codes. So, let’s put decisions in place. You can check the CrowdSec decisions via:
sudo cscli decisions list
Once a decision is enforced, FeroxBuster will generate more entries because the SpiderTrap application signals that a directory exists. However, this only inflates the list, misleading the attacker with false information.
If they restart the program, they’ll already be on the decision list and will be redirected to SpiderTrap.
Wrapping up
With this setup, you’ve created a SpiderTrap Sinkhole that will waste attackers’ resources, such as their bandwidth and operational costs, sending them to a place where they can only retrieve fake data.
At the same time, you will be monitoring and blocking malicious activity using CrowdSec. This configuration improves your defense and provides valuable insights into attack patterns. Keep your system updated, and always test your configurations to ensure everything works as expected.
You can also visualize the data on the attackers you’ve blocked by signing up to the CrowdSec Console.
