AI Tarpits: Trap the Bots, But Don’t Bury Your Own Content

An AI tarpit is a web server technique that identifies misbehaving or aggressive crawlers and responds by serving them an endless labyrinth of synthetic, low-value pages. The goal is to consume their bandwidth and dilute the quality of any data they collect for training.

This approach exists in a gray area of the modern web. Some site owners use tarpits selectively against clearly abusive bots, while others avoid them entirely. A blanket “block everything with AI in the name” policy can backfire: the same rules that stop training crawlers like GPTBot can also block the retrieval/indexing bots that surface your content in ChatGPT, Perplexity, Google AI Overviews, and similar systems.

In 2026 the practical reality is nuanced. The relevant question isn’t simply “Should I deploy an AI tarpit?” but rather how to distinguish between different kinds of AI-related crawlers and decide which ones (if any) warrant defensive measures—without accidentally harming the visibility of your own site. Awareness of these distinctions helps operators make informed choices rather than reflexive ones.

What an AI tarpit actually does

Mechanically, a tarpit is three steps. First, it spots a suspect visitor, usually by user-agent string, by an unlinked honeypot path that only a non-rendering crawler would hit, or by a hidden link styled invisible to humans. Second, it serves a page of plausible-looking text. Third, every page links to more pages, each just unique enough to look novel, with no exit and no end. The crawler thinks it has struck content gold. What it has actually struck is a renderable hamster wheel engineered to look productive while teaching its model approximately nothing.

The four flavors, optimized for real-world performance (minimal headaches, maximum effect)

Tarpit-adjacent tools fall into two practical camps: poisoners (waste scraper compute + pollute data) and blockers (make them leave quickly). Both fight the same problem—unwanted AI crawlers ignoring robots.txt—but smart deployment turns them from resource hogs into low-maintenance defenses. The goal is asymmetric cost: cheap for you, expensive for them. Here's how to make them work without shooting yourself in the foot.

The poisoners: Nepenthes, Iocaine, Quixotic

These feed garbage or infinite loops to burn crawler bandwidth and poison datasets. Deploy them selectively behind robots.txt disallow rules or on dedicated trap paths to avoid hurting real users or search engines.

• Nepenthes (by Aaron B.): The aggressive headline act. It serves an infinite static maze of Markov-chain nonsense. Crawlers wander until their own logic (depth limits, timeouts) bails them out—sometimes for months.
  Headache-free version: Run it on a low-priority subdomain or /trap/ path. Tune generation to be deliberately slow but CPU-light (original design already does this well). Monitor your own server metrics; don't let it become your DoS. Warning: Aggressive use can get you deindexed by Google. Use as a honeypot, not on main content.
• Iocaine (by Gergely Nagy): Reverse-proxy wrapper on the tarpit idea. Nagy saw ~94% bot traffic drop on his personal site immediately (mostly AI crawlers). This is the most-quoted (and often misattributed) stat.
  Headache-free version: Layer it behind basic rate limiting or UA filtering. It's great for poisoning but combine with blocking so you're not endlessly generating garbage for sophisticated adapters. Keep it hidden from humans via path rules or headers.
• Quixotic (by Marcus Butler): The gentler, smarter poisoner. It obfuscates and poisons content without full infinite mazes—often pre-generates static garbage files. Ideal if you want deterrence over destruction.
  Headache-free version: Pre-generate poisoned versions of content once (saves CPU). Serve them only to suspicious traffic. This avoids live generation overhead and reduces collateral damage. Best for static sites.

The blocker: Anubis

Anubis, by Xe Iaso (January 2025), is the standout for most operators. It's a lightweight MITM reverse proxy that issues a Hashcash-style proof-of-work challenge for any visitor with "Mozilla" in the User-Agent—basically everything modern. Real browsers solve it invisibly in JavaScript. Headless and low-effort scrapers usually fail or give up.

By mid-2026, Anubis had 200,000+ downloads and adoption by GNOME, FFmpeg, UNESCO, SourceHut, and many Git forges and wikis under bot-induced denial of service pressure. Drew DeVault (SourceHut) put it best:

"Nepenthes has a satisfying sense of justice to it, since it feeds nonsense to the crawlers and poisons their wells, but ultimately Anubis is the solution that worked."

Headache-free deployment:

• Deploy as a fronting proxy (not inline on every request if possible).
• Tune difficulty low for humans—most modern browsers handle it in under 100ms.
• Add exceptions for known good bots (Googlebot, etc.) via allowlists.
• Combine with TLS fingerprinting and basic rate limiting for better accuracy.
• Monitor false positives—privacy browsers or JS-disabled users can get hit. Offer a bypass link or admin override.
• It's lightweight in Go and scales well, but test under load.

This approach shifts cost to the scraper without heavy poisoning overhead on your side.

Making the whole stack perform cleanly

• Layer them: robots.txt (honored by good actors) → rate limiting/fingerprinting → Anubis for blocking → selective tarpit/poison for persistent offenders.
• Measure everything: Track CPU, bandwidth, false positives. These tools shine when targeted, not blanket.
• Accept limits: Sophisticated crawlers adapt (stealth JS, proxies, paid human farms). These buy time and raise costs, but aren't forever walls. For critical content, consider authenticated access, watermarks, or closed APIs.
• Ethics/practicality: Poisoning is satisfying but risks polluting caches or running into legal gray areas. Blocking is cleaner for most sites.

Cloudflare changed the math (and corrected the technique)

On March 19, 2025, Cloudflare shipped AI Labyrinth, available on every plan including Free, as a single toggle in the bot-management dashboard. That moved the tactic from protest tech you self-hosted to a one-click feature on the world's largest CDN. The interesting part is the technical departure: Labyrinth does not use Markov chains. Cloudflare uses Workers AI to pre-generate real LLM-written pages on diverse, scientifically-accurate-but-irrelevant topics, stores them in R2, and serves them when bot activity is detected. Per Cloudflare's announcement, the pages are deliberately not misinformation. They are real factual content unrelated to the crawled site, served as expensive, off-topic noise.

The decoy links are injected into existing pages as hidden HTML invisible to humans. Any visitor who follows them is, with high confidence, a bot, and Cloudflare feeds that signal into its user and entity behavior analytics pipeline to fingerprint the offender across its network.

The five tools at a glance

The collateral damage problem

Tarpits and broad blocking carry an invoice nobody likes to read out loud. A Rutgers Business School and Wharton study published December 31, 2025, looked at 30 major newspaper sites including CNN, the New York Times, BBC, the Guardian, Fox News, and Daily Mail. Publishers that blocked AI crawlers via robots.txt saw a 23.1 percent decline in monthly visits and a 13.9 percent drop in human-only browsing. A later revision of the same study, using a weekly window instead of a monthly one, put the headline figure closer to 7 percent. The truth is in the measurement window, not the headline. Either way, the direction is clear: indiscriminate blocking shrinks the audience, including the human one, because retrieval-flavored AI traffic and AI-driven discovery are now part of how people find pages.

Most tarpits also cannot tell a training scraper from Googlebot, Bingbot, a price-monitoring script, or a perfectly legitimate research crawler. They detect by behavior, not by motive — closer to anomaly detection than identity verification. A sloppy deployment risks de-indexing on the search side, spam-filter penalties for thin generated content, and bandwidth bills you wrote yourself.

The binary that actually matters

Here is the part most write-ups miss. "AI bots" is not one category. It is at least two, and they want different things:

• Training scrapers read your content to bake it into a future model. Once it is in the model, you have no link, no citation, no traffic. Examples: GPTBot, ClaudeBot, CCBot, Meta-ExternalAgent, Google-Extended (when used for Gemini training).
• Retrieval bots index your content at query time to power retrieval-augmented generation pipelines: a real human asks a question, and your page becomes a cited source in the answer. Examples: OAI-SearchBot, ChatGPT-User, PerplexityBot, Google-Extended (when used for AI Overviews retrieval).

Treating both kinds the same is the whole problem. Block everything and you are protected from training and invisible to citation. Allow everything and you fund a training set that competes with you. The point of the per-user-agent toggle is that you no longer have to pick one bad outcome.

Why your content needs the citation, not just the click

The other half of this picture is what the search world calls Generative Engine Optimization (GEO), and what some people still call AEO (answer engine optimization). The idea is to be the source an AI tool quotes when a user asks a question, because in a world where Google AI Overviews already appear in 30 to 40 percent of queries, the click that used to land on your page now lands on Google's summary of your page. If you are not in the summary, you are not in the conversation.

The numbers behind the panic are real. Brandlight's research found that the overlap between top Google links and the sources cited inside AI answers has dropped from about 70 percent to under 20 percent. Conductor's 2026 survey of digital leaders reported that 97 percent see positive impact from GEO efforts, and that GEO now eats roughly 12 percent of the average digital marketing budget, with 32 percent of digital leaders calling it their top 2026 priority. Wikipedia accounts for 47.9 percent of ChatGPT's top citations on factual questions. Reddit accounts for 46.7 percent of Perplexity's top citations. Different model, different favorite watering hole, same underlying reality: source grounding is the new ranking.

If you tarpit the bot that would have cited you, you have just optimized your way out of the answer.

How to set per-user-agent policy without losing your mind

The actual implementation is less exotic than the philosophy. A practical 2026 setup looks like this:

1. Robots.txt as the polite layer. Explicitly disallow training crawlers. Explicitly allow retrieval crawlers. Use named user-agents, not a single User-agent: * directive that catches Googlebot.
2. Edge rules as the impolite layer. The polite crawlers will obey robots.txt. The impolite ones will not. That is what Cloudflare AI Labyrinth, Cloudflare's AI bot blocking, or Anubis on your origin are for — your gateway control when politeness goes ignored. Match by user-agent, by ASN where you can, and by behavioral fingerprint where you cannot.
3. Front-loaded answer-first content. Retrieval bots read the first chunk of a page to decide whether to cite. Put the answer in the first 200 words. Burying the lede now costs traffic from real humans and citations from the AI assistants the humans use.
4. Monitor what each bot actually does. If GPTBot keeps showing up despite a deny, your log monitoring will catch it — escalate to a hard block at the edge. If OAI-SearchBot shows up after you allow it, your GEO investment is starting to pay off.

Should you deploy a tarpit or not?

The thing nobody should do is fire any of these tools at the whole internet, walk away, and assume the SEO and AI-citation pipelines will sort themselves out. They will not. Per-bot policy is now table stakes — the baseline guardrail between your content and the models that want to train on it without attribution.

For most operators in 2026, the answer is "Cloudflare AI Labyrinth is a free toggle, turn it on, and pair it with a thoughtful robots.txt." If your hosting is already on Cloudflare, that is the lowest-friction path that gives you defense without inheriting the maintenance bill. If you self-host serious infrastructure that is buckling under crawler load (a Git forge, a wiki, a documentation site), Anubis is what the GNOME and FFmpeg teams reached for, and there is a reason. If your goal is more "send a message to the AI labs" than "keep my server up," Nepenthes and Iocaine are the protest-tech of choice, and they will satisfy that itch.

FAQ

Sources: Safe Web Research Install Guide on PCDrama, Cloudflare Blog: Trapping misbehaving bots in an AI Labyrinth, Cloudflare Docs: AI Labyrinth, Xe Iaso: Block AI scrapers with Anubis, Wikipedia: Anubis (software), TechCrunch: Open-source devs are fighting AI crawlers with cleverness and vengeance, The Register: Anubis fighting off the hordes of LLM bot crawlers, Hackaday: Trap Naughty Web Crawlers In Digestive Juices With Nepenthes, Hacker News: AI haters build tarpits discussion.