Concerns about wording of man blackhole

Chuck Swiger cswiger at mac.com
Tue Feb 14 18:23:00 UTC 2006 

Fabian Keil wrote:
> Chuck Swiger <cswiger at mac.com> wrote:
[ ... ]
>>> In which way does this protect against stealth port scans?
>> Returning a RST tells the scanner that the port is definitely closed.
>> Returning nothing gives less information.
> 
> As open ports still show up as open I don't see the protection.
> If some port are open, the attacker can assume that all the
> "filtered" ports are closed.

Most people use a firewall because they are running services (and thus have open
ports) which they do not want the rest of the Internet to be able to connect to.

If there exists someone who assumes all "filtered" ports are closed, well,
wouldn't that fact demonstrate that the blackhole mechanism does help...?

>>> I don't understand why the "blackhole behaviour" would slow down
>>> a DOS attempt.
>> nmap is extremely well written, and can scan un-cooperative hosts
>> better than most other programs will.  Anything which uses a
>> protocol-compliant TCP/IP stack will retry dropped connections
>> several times if no answer is forthcoming, and will even do things
>> like try to make a connection without enabling any TCP or IP options
>> normally set by default.
>>
>> These reconnection attempts will greatly slow down attempts to scan
>> ports rapidly.
> 
> Which shouldn't result in a DOS anyway. The reconnection attempts
> will even increase the inbound traffic.

Yes, but to ports that aren't actually open.

It's relatively cheap and easy to process such packets by just dropping them,
compared with processing them in a userland daemon.  And I'd much rather have
malicious traffic heading towards a closed port than towards a critical service.

[ ... ]
>>> AFAICS the only thing it does is to decrease traceroute's
>>> usefulness and to turn closed ports into filtered ports which
>>> slows some kinds of port scans down for a few seconds.
>> Something using the OS to do TCP/IP is going to be slowed down by
>> roughly an order of magnitude, which includes many malware programs
>> like worms.
> 
> Again I don't see the gain. Eventually the port scan will be finished
> and open ports found.

If you can flip a sysctl which increases the time it takes for Slammer or Nimda
or some other worm to scan through all of the IP's on your network, the admins
there have more time to respond, and there is a better chance that AV software
will get updates to block the malware before too many systems get infected.

This is one of the main reasons why firewalls often drop connections rather than
returning ICMP host or port unreachable messages.

-- 
-Chuck

More information about the freebsd-doc mailing list