Date: Wed, 15 Feb 2006 16:07:25 +0100 From: Fabian Keil <freebsd-listen@fabiankeil.de> To: Chuck Swiger <cswiger@mac.com> Cc: doc@FreeBSD.org Subject: Re: Concerns about wording of man blackhole Message-ID: <20060215160725.0b6f4d40@localhost> In-Reply-To: <43F2200F.60204@mac.com> References: <20060213154956.058ccd65@localhost> <43F0A70F.2090006@mac.com> <20060214180705.4d4ba682@localhost> <43F2200F.60204@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_TL6rB_YurKMoTUO9iSR.8kT Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable I set Followup-To freebsd-questions. Chuck Swiger <cswiger@mac.com> wrote: > Fabian Keil wrote: > > Chuck Swiger <cswiger@mac.com> wrote: > [ ... ] > >>> In which way does this protect against stealth port scans? > >> Returning a RST tells the scanner that the port is definitely > >> closed. Returning nothing gives less information. > >=20 > > As open ports still show up as open I don't see the protection. > > If some port are open, the attacker can assume that all the > > "filtered" ports are closed. >=20 > Most people use a firewall because they are running services (and > thus have open ports) which they do not want the rest of the Internet > to be able to connect to. What does this have to do with "blackhole". =20 =20 > If there exists someone who assumes all "filtered" ports are closed, > well, wouldn't that fact demonstrate that the blackhole mechanism > does help...? =20 Help with what? From the attacker's point of view it makes little difference if a port appears as filtered or closed. > >>> I don't understand why the "blackhole behaviour" would slow down > >>> a DOS attempt. > >> nmap is extremely well written, and can scan un-cooperative hosts > >> better than most other programs will. Anything which uses a > >> protocol-compliant TCP/IP stack will retry dropped connections > >> several times if no answer is forthcoming, and will even do things > >> like try to make a connection without enabling any TCP or IP > >> options normally set by default. > >> > >> These reconnection attempts will greatly slow down attempts to scan > >> ports rapidly. > >=20 > > Which shouldn't result in a DOS anyway. The reconnection attempts > > will even increase the inbound traffic. >=20 > Yes, but to ports that aren't actually open. >=20 > It's relatively cheap and easy to process such packets by just > dropping them, compared with processing them in a userland daemon. What userland daemon? > And I'd much rather have malicious traffic heading towards a closed > port than towards a critical service. Sure, but "blackhole behaviour" alone doesn't prevent malicious traffic from reaching critical services. =20 > [ ... ] > >>> AFAICS the only thing it does is to decrease traceroute's > >>> usefulness and to turn closed ports into filtered ports which > >>> slows some kinds of port scans down for a few seconds. > >> Something using the OS to do TCP/IP is going to be slowed down by > >> roughly an order of magnitude, which includes many malware programs > >> like worms. > >=20 > > Again I don't see the gain. Eventually the port scan will be > > finished and open ports found. >=20 > If you can flip a sysctl which increases the time it takes for > Slammer or Nimda or some other worm to scan through all of the IP's > on your network, the admins there have more time to respond, and > there is a better chance that AV software will get updates to block > the malware before too many systems get infected. If you already have the firewall to drop those unwanted connections you might as well just reset them. =20 Fabian --=20 http://www.fabiankeil.de/ --Sig_TL6rB_YurKMoTUO9iSR.8kT Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFD80O6jV8GA4rMKUQRAmHAAKC4jvXZZZMxLv4dUNlB4l1JgvwJuwCgtRzQ cYqX7fUJB6oHZk5mNByQiyM= =ooUu -----END PGP SIGNATURE----- --Sig_TL6rB_YurKMoTUO9iSR.8kT--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060215160725.0b6f4d40>