Concerns about wording of man blackhole

Fabian Keil freebsd-listen at fabiankeil.de
Wed Feb 15 15:07:35 UTC 2006 

I set Followup-To freebsd-questions.

Chuck Swiger <cswiger at mac.com> wrote:

> Fabian Keil wrote:
> > Chuck Swiger <cswiger at mac.com> wrote:
> [ ... ]
> >>> In which way does this protect against stealth port scans?
> >> Returning a RST tells the scanner that the port is definitely
> >> closed. Returning nothing gives less information.
> > 
> > As open ports still show up as open I don't see the protection.
> > If some port are open, the attacker can assume that all the
> > "filtered" ports are closed.
> 
> Most people use a firewall because they are running services (and
> thus have open ports) which they do not want the rest of the Internet
> to be able to connect to.

What does this have to do with "blackhole".  
 
> If there exists someone who assumes all "filtered" ports are closed,
> well, wouldn't that fact demonstrate that the blackhole mechanism
> does help...?
 
Help with what? From the attacker's point of view it makes little
difference if a port appears as filtered or closed.

> >>> I don't understand why the "blackhole behaviour" would slow down
> >>> a DOS attempt.
> >> nmap is extremely well written, and can scan un-cooperative hosts
> >> better than most other programs will.  Anything which uses a
> >> protocol-compliant TCP/IP stack will retry dropped connections
> >> several times if no answer is forthcoming, and will even do things
> >> like try to make a connection without enabling any TCP or IP
> >> options normally set by default.
> >>
> >> These reconnection attempts will greatly slow down attempts to scan
> >> ports rapidly.
> > 
> > Which shouldn't result in a DOS anyway. The reconnection attempts
> > will even increase the inbound traffic.
> 
> Yes, but to ports that aren't actually open.
> 
> It's relatively cheap and easy to process such packets by just
> dropping them, compared with processing them in a userland daemon.

What userland daemon?

> And I'd much rather have malicious traffic heading towards a closed
> port than towards a critical service.

Sure, but "blackhole behaviour" alone doesn't prevent malicious traffic
from reaching critical services.
 
> [ ... ]
> >>> AFAICS the only thing it does is to decrease traceroute's
> >>> usefulness and to turn closed ports into filtered ports which
> >>> slows some kinds of port scans down for a few seconds.
> >> Something using the OS to do TCP/IP is going to be slowed down by
> >> roughly an order of magnitude, which includes many malware programs
> >> like worms.
> > 
> > Again I don't see the gain. Eventually the port scan will be
> > finished and open ports found.
> 
> If you can flip a sysctl which increases the time it takes for
> Slammer or Nimda or some other worm to scan through all of the IP's
> on your network, the admins there have more time to respond, and
> there is a better chance that AV software will get updates to block
> the malware before too many systems get infected.

If you already have the firewall to drop those unwanted connections
you might as well just reset them.
 
Fabian
-- 
http://www.fabiankeil.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-doc/attachments/20060215/0fa673a2/attachment.sig>

More information about the freebsd-doc mailing list