A tarpit is a defensive control that deliberately slows suspicious connections instead of dropping them, holding the attacker's sockets open and unproductive. A TCP tarpit answers with a tiny or zero window so the peer can never send meaningful data, while higher-layer tarpits trickle responses to stall automated clients. The intent is to invert the economics of a flood: each malicious connection now ties up the attacker's own resources for as long as possible.
Why it matters in DDoS testing
Tarpitting can blunt slow-rate and connection-exhaustion attacks, but it is double-edged: holding state for attacker connections consumes defender memory too, and an aggressive tarpit can entangle legitimate clients behind shared NAT. A test characterizes where that balance breaks, the connection count at which the tarpit itself becomes the bottleneck. Validating these controls against realistic load is the core of DDoS resilience testing.