Julian OliverWorking on some poison-as-a-service (PaaS). Looking to launch in the next few days.
Also working on a zip bomb, to randomly scatter in among the links.
Thanks to @anaiscrosby I came across this excellent method, using LZ77:
https://natechoe.dev/blog/2025-08-04.html
TBH I was just going to `dd if=/dev/urandom` my way to a titanic RAM flooding *.gz, but am getting great results with the above, and with bonus site data honey inside to keep bots on the chase.
@anaiscrosby After seeing ChatGPTBot blow 123 seconds on my drip-feed poison tarpit and then never come back, I got reading on how modern LLM scrapers might employ mechanisms to detect tarpits and blacklist.
During research I came across this tarpit evading scraper that provides some interesting insights into how modern LLM scrapers might do this.
https://github.com/Draconiator/Ipema
This gives me pause and has me looking at other solutions for counter-detection.
The GeoCities CSS is going nowhere.
@anaiscrosby Running a non-Markov tarpit for half an hour on one public link, and already have Claude lost in my swamp. Waiting to see if it runs into my ZIP bomb
---
216.73.216.124 - - [07/Apr/2026:03:28:49 +0200] "GET /tarpit/until/same/drive/harmattan_leftmost_intranscalency_few_ministries_few_between HTTP/2.0" 200 10132 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; [email protected])" "-"
---
@anaiscrosby It hit it, but I guess decompressed in a thread. It's a 127M archive that decompresses to 128GB. The bot kept scraping for a bit and then dropped off. Difficult to know if it was a discouragement.
Strange is that soon after other IPs were reaching statistically non-guessable randomly generated URL paths, without touching the webroot or another other tarpit URL prior. They all had iOS UA strings (readily forged).
It is quite wild how persistent Claude is, and an eerie feeling watching it just roam ever deeper into the endless rhizome of generated linked pages. It's been like this for a couple of hours now, and is not touching any other pages on the server, solely those in the tarpit. So that PoC does seem to check out.
CPU spikes are worrying, so will need to work the threading a bit and provision a couple more cores.
It has a rhythm of ~10-15s gorging, then a pause for 20-30s, and then at it again
ink@JulianOliver maybe removing "tarpit" from the url will help prevent some very basic evasive bot maneuvers?
@ink This is just a test spun up on a staging domain, it will go under / on its production domain. But yes, honestly surprised. Claude for one does not care. It's been wandering the maze for hours and hours now.
@JulianOliver nice. It seems very strange that new clients are able to autodiscover deep urls. It would be interesting to dig into that if I understood correctly.
@ink Glad you also see the mystery in it. With out getting too conspiratorial it did occur to me that there may be a private backhaul sharing URL paths with probes under fake UAs.
BTW, Still going. It's endless now, no pauses. This screenshot from a 10mins ago or so.
@JulianOliver yeah, there could be hidden link sharing networks at play? it might be interesting to try to map out the clients that do that somehow.
@ink I will do some active probing myself on those endpoints tomorrow.
Terrible opsec here, talking it out loud on the fedi, but this is the wild west so let's go