Date: Tue, 14 Feb 2006 18:07:05 +0100 From: Fabian Keil <freebsd-listen@fabiankeil.de> To: Chuck Swiger <cswiger@mac.com> Cc: doc@FreeBSD.org Subject: Re: Concerns about wording of man blackhole Message-ID: <20060214180705.4d4ba682@localhost> In-Reply-To: <43F0A70F.2090006@mac.com> References: <20060213154956.058ccd65@localhost> <43F0A70F.2090006@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_NkBSLDjT_ZUNtNlboSUfRgC
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Chuck Swiger <cswiger@mac.com> wrote:
> Fabian Keil wrote:
> > |Normal behaviour, when a TCP SYN segment is received on a port
> > where |there is no socket accepting connections, is for the system
> > to return a |RST segment, and drop the connection. The connecting
> > system will see |this as a ``Connection refused''. By setting the
> > TCP blackhole MIB to a |numeric value of one, the incoming SYN
> > segment is merely dropped, and no |RST is sent, making the system
> > appear as a blackhole. By setting the MIB |value to two, any
> > segment arriving on a closed port is dropped without |returning a
> > RST. This provides some degree of protection against stealth |port
> > scans.
> >=20
> > In which way does this protect against stealth port scans?
>=20
> Returning a RST tells the scanner that the port is definitely closed.
> Returning nothing gives less information.
As open ports still show up as open I don't see the protection.
If some port are open, the attacker can assume that all the
"filtered" ports are closed.
=20
> > I don't understand why the "blackhole behaviour" would slow down
> > a DOS attempt.
>=20
> nmap is extremely well written, and can scan un-cooperative hosts
> better than most other programs will. Anything which uses a
> protocol-compliant TCP/IP stack will retry dropped connections
> several times if no answer is forthcoming, and will even do things
> like try to make a connection without enabling any TCP or IP options
> normally set by default.
>=20
> These reconnection attempts will greatly slow down attempts to scan
> ports rapidly.
Which shouldn't result in a DOS anyway. The reconnection attempts
will even increase the inbound traffic.
=20
> > Is there a known DOS vulnerability in FreeBSD
> > which can be exploited by trying to connect to a closed port?=20
>=20
> Sending highly fragmented packets ("the Rose attack?") used to be
> quite effective against FreeBSD, although Andre Opperman or someone
> has improved the way FreeBSD handles fragment reassembly to be more
> efficient since then.
=20
> > I can only think of filling up the connection with useless traffic,
> > but this is possible with every OS and turning the attacked system
> > into a so called blackhole wouldn't make a difference unless the
> > uplink is slower than the downlink and the attacker really floods
> > closed ports instead of open ones.=20
>=20
> Network bandwidth is not the only finite resource used in processing
> network traffic: exhausting memory of making the OS consume excessive
> amounts of CPU are also DOS mechanisms.
You're right, I didn't think about those. But it's unlikely that
"blackhole behaviour" would make a difference.
> > AFAICS the only thing it does is to decrease traceroute's
> > usefulness and to turn closed ports into filtered ports which
> > slows some kinds of port scans down for a few seconds.
>=20
> Something using the OS to do TCP/IP is going to be slowed down by
> roughly an order of magnitude, which includes many malware programs
> like worms.
Again I don't see the gain. Eventually the port scan will be finished
and open ports found.
Fabian
--=20
http://www.fabiankeil.de/
--Sig_NkBSLDjT_ZUNtNlboSUfRgC
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFD8g5AjV8GA4rMKUQRAuixAJ9yUt/TYHNht5CYdr3l7jP5Cs6yawCeP/kM
562h9p4LIDRJLuQIYs65X18=
=tx8T
-----END PGP SIGNATURE-----
--Sig_NkBSLDjT_ZUNtNlboSUfRgC--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060214180705.4d4ba682>