OpenBSD ships spamd, a greylister which also tarpits.
PF has the max-src-conn-rate state tracking option which is commonly use to blackhole scanners:
pass in on egress proto tcp to port ssh keep state \
(max-src-conn-rate 10/60, overload <scanners>)
block quick from <scanners>
Rather than blocking you could instead redirect new connections to a tar pit by replacing the block rule with something like
pass in on egress proto tcp from <scanners> to port ssh \
divert-to 127.0.0.1 port 2222
where your SSH tar pit service listens on 127.0.0.1:2222. This is basically the reverse of how spamd works, which diverts all inbound SMTP connections not in the <nospamd> table to spamd. When spamd's greylisting rules are satisfied it adds the sender's IP to <nospamd>.
IPv6 poses a problem for selective tar pitting, though. Realistically you need to tar pit at least /64 subnets, but even then it's not difficult to get your hands on a /48. But if you lumped /48s together you'd have a huge false positive problem. Also, AFAIU PF's state tracking capability can't track subnets, anyhow.
PF has the max-src-conn-rate state tracking option which is commonly use to blackhole scanners:
Rather than blocking you could instead redirect new connections to a tar pit by replacing the block rule with something like where your SSH tar pit service listens on 127.0.0.1:2222. This is basically the reverse of how spamd works, which diverts all inbound SMTP connections not in the <nospamd> table to spamd. When spamd's greylisting rules are satisfied it adds the sender's IP to <nospamd>.IPv6 poses a problem for selective tar pitting, though. Realistically you need to tar pit at least /64 subnets, but even then it's not difficult to get your hands on a /48. But if you lumped /48s together you'd have a huge false positive problem. Also, AFAIU PF's state tracking capability can't track subnets, anyhow.