Concerns about wording of man blackhole

Fabian Keil freebsd-listen at fabiankeil.de
Thu Feb 16 03:20:53 PST 2006 

Chuck Swiger <cswiger at mac.com> wrote:

> Fabian Keil wrote:

> >> Most people use a firewall because they are running services (and
> >> thus have open ports) which they do not want the rest of the
> >> Internet to be able to connect to.
> > 
> > What does this have to do with "blackhole".  
> 
> The "blackhole" sysctl makes it somewhat harder for an intruder to
> figure out which ports are really closed versus which ports are being
> filtered, and how/where that filtering is being done.
> 
> Firewalls are used to make open ports appear "filtered" to external
> connection attempts.  Someone who assumes that all filtered ports are
> really closed is not making a correct assumption.

OK I didn't think about the problem that the firewall can't reset
the connection on behalf of a system behind it (at least I don't know
if there is a firewall which sends resets with faked IPs) and dropping
is the only way to go.

While reading man blackhole I was configuring PF on my laptop,
and with the possibility to let ports appear as closed, blackhole
doesn't look that good. 
 
> >> If there exists someone who assumes all "filtered" ports are
> >> closed, well, wouldn't that fact demonstrate that the blackhole
> >> mechanism does help...?
> >  
> > Help with what? From the attacker's point of view it makes little
> > difference if a port appears as filtered or closed.
> 
> A knowledgeable security analyst or a blackhat trying to crack the
> network would certainly not assume "closed" and "filtered" are the
> same thing.

You're right again, I was only thinking of the case where the firewall
is running on the target system and faking closed ports is as easy as
letting them appear as filtered.
 
> [ ... ]
> >>>> These reconnection attempts will greatly slow down attempts to
> >>>> scan ports rapidly.
> >>> Which shouldn't result in a DOS anyway. The reconnection attempts
> >>> will even increase the inbound traffic.
> >> Yes, but to ports that aren't actually open.
> >>
> >> It's relatively cheap and easy to process such packets by just
> >> dropping them, compared with processing them in a userland daemon.
> > 
> > What userland daemon?
> 
> The canonical example is inetd, but any process which listen()s on a
> port and accept()s incoming connections would qualify as a "userland
> daemon".

I know what a userland daemon is, but on a closed port there shouldn't
be one.
 
> >> [ ... ]
> >>> Again I don't see the gain. Eventually the port scan will be
> >>> finished and open ports found.
> >> If you can flip a sysctl which increases the time it takes for
> >> Slammer or Nimda or some other worm to scan through all of the IP's
> >> on your network, the admins there have more time to respond, and
> >> there is a better chance that AV software will get updates to block
> >> the malware before too many systems get infected.
> > 
> > If you already have the firewall to drop those unwanted connections
> > you might as well just reset them.
> 
> Unfortunately, a firewall can only affect traffic which passes by
> it.  There are plenty of cases where someone opens an attachment in a
> malicious email, which infects their system and causes it to
> scan/probe LAN IPs.
> 
> Having a firewall won't do a thing to protect you from local scans.
> Using "blackhole" on internal machines can help this scenario
> somewhat.

You mean just by slowing the scan down, or is there another effect
I didn't think of?

Fabian
-- 
http://www.fabiankeil.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060216/9d51fbc1/signature.bin

More information about the freebsd-questions mailing list