What is a Tarpit? How Cloudflare Tarpits Stop Cyber Pests in Their Tracks

If you run a website, you’ve probably heard of firewalls, CAPTCHAs, and bot filters. But there’s another defence that’s less well known, a little mischievous, and surprisingly effective: the tarpit.

What Exactly is a Tarpit?

Think of a tarpit like digital quicksand. When a suspicious visitor or bot stumbles into it, instead of being blocked outright, they’re slowly dragged down. Their requests are deliberately delayed, making their connection painfully slow or even useless. Meanwhile, your genuine visitors continue browsing with no issues at all.

Why Use a Tarpit?

Tarpits aren’t designed to block every attacker. Instead, they waste the attacker’s time and resources. Bots, scrapers, or brute force attempts get stuck waiting around, which often forces them to give up and move on. For malicious actors, time is money, and tarpits make the job unprofitable.

Cloudflare + Tarpits: A Perfect Match

Cloudflare already protects millions of sites from bad traffic. By combining Cloudflare’s firewall with a tarpit script, you can trap problem traffic automatically. For example:

• Requests from suspicious networks (like cheap cloud providers often abused by attackers)
• Traffic from known Tor exit nodes or proxy services
• Bots with shady fingerprints or mismatched headers

Instead of blocking them outright, Cloudflare workers can respond with a slow drip of fake content or simply “sleep” for 60 seconds before replying. To the bot, it feels like your site is unbearably slow. To you, it feels like peace and quiet.

Our Experience at The Reasonable Adjustment

We’ve recently implemented tarpits on our own domains after noticing a sharp rise in bot and probe activity following the submission of a pre-action legal letter. The timing wasn’t a coincidence. Automated tools from cloud platforms and anonymisers started hammering our site, likely to gather intel. Instead of panicking, we deployed tarpits.

The result? Bots that once blitzed through hundreds of requests now get bogged down in artificial quicksand. They waste their resources, our logs stay clean, and real visitors continue reading without disruption.

Will Real Visitors Notice?

No. That’s the beauty of tarpits. They’re applied only to traffic that matches suspicious patterns. Genuine visitors with normal browsers won’t even know they exist. Your site stays fast and responsive for everyone else.

Real-World Benefits

• Reduce brute force login attempts
• Slow down scrapers stealing your content
• Frustrate bots probing for vulnerabilities
• Add a silent layer of defence alongside your firewall

A Cybersecurity Trick With a Sense of Humour

There’s something satisfying about tarpits. Instead of slamming the door in a hacker’s face, you politely invite them in, then make them wait… and wait… and wait. By the time they realise, they’ve wasted minutes or even hours on nothing. It’s cyber defence with a touch of humour.

Conclusion

If you’re serious about protecting your website, a tarpit is worth considering. With Cloudflare’s flexibility, you can easily set up tarpits to target the traffic you don’t want, while keeping your real users happy. It’s a low-cost, high-impact way to make attackers regret ever knocking on your digital door.

Cybersecurity doesn’t always need to be complex. Sometimes, slowing down the bad guys is just as effective as locking them out. And tarpits prove exactly that — especially when your site suddenly becomes the target of unwanted attention.