Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 Jan 2014 18:24:17 +0100
From:      sa9k063 <spam.spam@hfbk-hamburg.de>
Cc:        freebsd-security@freebsd.org
Subject:   Re: portscans and blackhole
Message-ID:  <52E93941.7080002@hfbk-hamburg.de>
In-Reply-To: <52E910B0.4030606@wenks.ch>
References:  <52DD08F7.1000306@hfbk-hamburg.de> <52E910B0.4030606@wenks.ch>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello,

On 01/29/2014 03:31 PM, Fabian Wenk wrote:
>> net.inet.tcp.blackhole=1
>>
>> +Limiting closed port RST response from 348 to 200 packets/sec
> 
> According to the blackhole(4) manpage (from a FreeBSD 9.1 system):
> 
> ---8<------------------------------------------------------------
> SYNOPSIS
>      sysctl net.inet.tcp.blackhole[=[0 | 1 | 2]]
>      sysctl net.inet.udp.blackhole[=[0 | 1]]
> 
> Part of DESCRIPTION:

> system will see this as a “Connection refused”.  By setting the TCP
> blackhole MIB to a numeric value of one, the incoming SYN segment is
> merely dropped, and no RST is sent, making the system appear as a
> blackhole.  By setting the MIB value to two, any segment arriving on
> a closed port is dropped without returning a RST.  This provides
> some degree of protection against stealth port scans.

This added to the confusion and thus made me ask. The manpage says
for both values of net.inet.tcp.blackhole={1,2} that no RSTs are
sent out.
Both seem to drop SYNs and suppress sending a RST.

Reading it again, the only conclusion i could get to regarding the
difference between 1 and 2 would be that for a value of 2, all other
tcp packets with flags other than SYN are additionally ignored. Is
this a better way to understand it ?

> So it is possible, that you are hit with something else then SYN
> packets and should probably set net.inet.tcp.blackhole=2, or even
> with UDP packets, then also set net.inet.udp.blackhole=1.

this remains as a likely explanation, ie FIN scans etc.

> What output does 'sysctl -a | grep blackhole' show?

it used to be

net.inet.tcp.blackhole: 1
net.inet.udp.blackhole: 1

since setting the tcp value to 2 no more messages like these popped
up supporting your line of thought.

> bye
> Fabian

thank you,

Tee

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52E93941.7080002>