Concerns about wording of man blackhole

[Fabian Keil]

Chuck Swiger <cswiger at mac.com> wrote:

> Fabian Keil wrote:
> > |Normal behaviour, when a TCP SYN segment is received on a port
> > where |there is no socket accepting connections, is for the system
> > to return a |RST segment, and drop the connection.  The connecting
> > system will see |this as a ``Connection refused''.  By setting the
> > TCP blackhole MIB to a |numeric value of one, the incoming SYN
> > segment is merely dropped, and no |RST is sent, making the system
> > appear as a blackhole.  By setting the MIB |value to two, any
> > segment arriving on a closed port is dropped without |returning a
> > RST.  This provides some degree of protection against stealth |port
> > scans.
> > 
> > In which way does this protect against stealth port scans?
> 
> Returning a RST tells the scanner that the port is definitely closed.
> Returning nothing gives less information.

As open ports still show up as open I don't see the protection.
If some port are open, the attacker can assume that all the
"filtered" ports are closed.
 
> > I don't understand why the "blackhole behaviour" would slow down
> > a DOS attempt.
> 
> nmap is extremely well written, and can scan un-cooperative hosts
> better than most other programs will.  Anything which uses a
> protocol-compliant TCP/IP stack will retry dropped connections
> several times if no answer is forthcoming, and will even do things
> like try to make a connection without enabling any TCP or IP options
> normally set by default.
> 
> These reconnection attempts will greatly slow down attempts to scan
> ports rapidly.

Which shouldn't result in a DOS anyway. The reconnection attempts
will even increase the inbound traffic.
 
> > Is there a known DOS vulnerability in FreeBSD
> > which can be exploited by trying to connect to a closed port? 
> 
> Sending highly fragmented packets ("the Rose attack?") used to be
> quite effective against FreeBSD, although Andre Opperman or someone
> has improved the way FreeBSD handles fragment reassembly to be more
> efficient since then.
 
> > I can only think of filling up the connection with useless traffic,
> > but this is possible with every OS and turning the attacked system
> > into a so called blackhole wouldn't make a difference unless the
> > uplink is slower than the downlink and the attacker really floods
> > closed ports instead of open ones. 
> 
> Network bandwidth is not the only finite resource used in processing
> network traffic: exhausting memory of making the OS consume excessive
> amounts of CPU are also DOS mechanisms.

You're right, I didn't think about those. But it's unlikely that
"blackhole behaviour" would make a difference.

> > AFAICS the only thing it does is to decrease traceroute's
> > usefulness and to turn closed ports into filtered ports which
> > slows some kinds of port scans down for a few seconds.
> 
> Something using the OS to do TCP/IP is going to be slowed down by
> roughly an order of magnitude, which includes many malware programs
> like worms.

Again I don't see the gain. Eventually the port scan will be finished
and open ports found.

Fabian
-- 
http://www.fabiankeil.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-doc/attachments/20060214/29d8a0f5/attachment.sig>