From owner-freebsd-security@FreeBSD.ORG Wed Jan 29 17:32:23 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5962AB6F for ; Wed, 29 Jan 2014 17:32:23 +0000 (UTC) Received: from ak47.hfbk-hamburg.de (ak47.hfbk-hamburg.de [193.174.241.201]) by mx1.freebsd.org (Postfix) with ESMTP id 1DC66124E for ; Wed, 29 Jan 2014 17:32:22 +0000 (UTC) Received: from [193.174.241.176] (ting.hfbk.net [193.174.241.176]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ak47.hfbk-hamburg.de (Postfix) with ESMTPSA id 217ED3497F for ; Wed, 29 Jan 2014 18:24:17 +0100 (CET) Message-ID: <52E93941.7080002@hfbk-hamburg.de> Date: Wed, 29 Jan 2014 18:24:17 +0100 From: sa9k063 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131103 Icedove/17.0.10 MIME-Version: 1.0 CC: freebsd-security@freebsd.org Subject: Re: portscans and blackhole References: <52DD08F7.1000306@hfbk-hamburg.de> <52E910B0.4030606@wenks.ch> In-Reply-To: <52E910B0.4030606@wenks.ch> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jan 2014 17:32:23 -0000 Hello, On 01/29/2014 03:31 PM, Fabian Wenk wrote: >> net.inet.tcp.blackhole=1 >> >> +Limiting closed port RST response from 348 to 200 packets/sec > > According to the blackhole(4) manpage (from a FreeBSD 9.1 system): > > ---8<------------------------------------------------------------ > SYNOPSIS > sysctl net.inet.tcp.blackhole[=[0 | 1 | 2]] > sysctl net.inet.udp.blackhole[=[0 | 1]] > > Part of DESCRIPTION: > system will see this as a “Connection refused”. By setting the TCP > blackhole MIB to a numeric value of one, the incoming SYN segment is > merely dropped, and no RST is sent, making the system appear as a > blackhole. By setting the MIB value to two, any segment arriving on > a closed port is dropped without returning a RST. This provides > some degree of protection against stealth port scans. This added to the confusion and thus made me ask. The manpage says for both values of net.inet.tcp.blackhole={1,2} that no RSTs are sent out. Both seem to drop SYNs and suppress sending a RST. Reading it again, the only conclusion i could get to regarding the difference between 1 and 2 would be that for a value of 2, all other tcp packets with flags other than SYN are additionally ignored. Is this a better way to understand it ? > So it is possible, that you are hit with something else then SYN > packets and should probably set net.inet.tcp.blackhole=2, or even > with UDP packets, then also set net.inet.udp.blackhole=1. this remains as a likely explanation, ie FIN scans etc. > What output does 'sysctl -a | grep blackhole' show? it used to be net.inet.tcp.blackhole: 1 net.inet.udp.blackhole: 1 since setting the tcp value to 2 no more messages like these popped up supporting your line of thought. > bye > Fabian thank you, Tee