Date: Thu, 16 Feb 2006 12:20:49 +0100 From: Fabian Keil <freebsd-listen@fabiankeil.de> To: Chuck Swiger <cswiger@mac.com> Cc: freebsd-questions@freebsd.org Subject: Re: Concerns about wording of man blackhole Message-ID: <20060216122049.5beb1c33@localhost> In-Reply-To: <43F3496D.2060003@mac.com> References: <20060213154956.058ccd65@localhost> <43F0A70F.2090006@mac.com> <20060214180705.4d4ba682@localhost> <43F2200F.60204@mac.com> <20060215160725.0b6f4d40@localhost> <43F3496D.2060003@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_sRT4BcuAkyngWTNsVCz5kkj Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Chuck Swiger <cswiger@mac.com> wrote: > Fabian Keil wrote: > >> Most people use a firewall because they are running services (and > >> thus have open ports) which they do not want the rest of the > >> Internet to be able to connect to. > >=20 > > What does this have to do with "blackhole". =20 >=20 > The "blackhole" sysctl makes it somewhat harder for an intruder to > figure out which ports are really closed versus which ports are being > filtered, and how/where that filtering is being done. >=20 > Firewalls are used to make open ports appear "filtered" to external > connection attempts. Someone who assumes that all filtered ports are > really closed is not making a correct assumption. OK I didn't think about the problem that the firewall can't reset the connection on behalf of a system behind it (at least I don't know if there is a firewall which sends resets with faked IPs) and dropping is the only way to go. While reading man blackhole I was configuring PF on my laptop, and with the possibility to let ports appear as closed, blackhole doesn't look that good.=20 =20 > >> If there exists someone who assumes all "filtered" ports are > >> closed, well, wouldn't that fact demonstrate that the blackhole > >> mechanism does help...? > > =20 > > Help with what? From the attacker's point of view it makes little > > difference if a port appears as filtered or closed. >=20 > A knowledgeable security analyst or a blackhat trying to crack the > network would certainly not assume "closed" and "filtered" are the > same thing. You're right again, I was only thinking of the case where the firewall is running on the target system and faking closed ports is as easy as letting them appear as filtered. =20 > [ ... ] > >>>> These reconnection attempts will greatly slow down attempts to > >>>> scan ports rapidly. > >>> Which shouldn't result in a DOS anyway. The reconnection attempts > >>> will even increase the inbound traffic. > >> Yes, but to ports that aren't actually open. > >> > >> It's relatively cheap and easy to process such packets by just > >> dropping them, compared with processing them in a userland daemon. > >=20 > > What userland daemon? >=20 > The canonical example is inetd, but any process which listen()s on a > port and accept()s incoming connections would qualify as a "userland > daemon". I know what a userland daemon is, but on a closed port there shouldn't be one. =20 > >> [ ... ] > >>> Again I don't see the gain. Eventually the port scan will be > >>> finished and open ports found. > >> If you can flip a sysctl which increases the time it takes for > >> Slammer or Nimda or some other worm to scan through all of the IP's > >> on your network, the admins there have more time to respond, and > >> there is a better chance that AV software will get updates to block > >> the malware before too many systems get infected. > >=20 > > If you already have the firewall to drop those unwanted connections > > you might as well just reset them. >=20 > Unfortunately, a firewall can only affect traffic which passes by > it. There are plenty of cases where someone opens an attachment in a > malicious email, which infects their system and causes it to > scan/probe LAN IPs. >=20 > Having a firewall won't do a thing to protect you from local scans. > Using "blackhole" on internal machines can help this scenario > somewhat. You mean just by slowing the scan down, or is there another effect I didn't think of? Fabian --=20 http://www.fabiankeil.de/ --Sig_sRT4BcuAkyngWTNsVCz5kkj Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFD9GAbjV8GA4rMKUQRAgMjAKDham8Lqh2I+GVcFP3qYY7t2eoQsACfQbgk kN20jXnfjcenrOBXaGVZuX4= =2gI1 -----END PGP SIGNATURE----- --Sig_sRT4BcuAkyngWTNsVCz5kkj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060216122049.5beb1c33>