From owner-freebsd-questions@FreeBSD.ORG Wed Feb 15 15:32:08 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EA1716A420 for ; Wed, 15 Feb 2006 15:32:08 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C6BA43D77 for ; Wed, 15 Feb 2006 15:32:00 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 3B4BA5C73; Wed, 15 Feb 2006 10:31:59 -0500 (EST) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09911-05; Wed, 15 Feb 2006 10:31:58 -0500 (EST) Received: from [192.168.1.3] (pool-68-161-67-103.ny325.east.verizon.net [68.161.67.103]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id A52605C16; Wed, 15 Feb 2006 10:31:57 -0500 (EST) Message-ID: <43F3496D.2060003@mac.com> Date: Wed, 15 Feb 2006 10:31:57 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Fabian Keil References: <20060213154956.058ccd65@localhost> <43F0A70F.2090006@mac.com> <20060214180705.4d4ba682@localhost> <43F2200F.60204@mac.com> <20060215160725.0b6f4d40@localhost> In-Reply-To: <20060215160725.0b6f4d40@localhost> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-questions@freebsd.org Subject: Re: Concerns about wording of man blackhole X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Feb 2006 15:32:08 -0000 Fabian Keil wrote: > I set Followup-To freebsd-questions. OK. [ ... ] >>>>> In which way does this protect against stealth port scans? >>>> Returning a RST tells the scanner that the port is definitely >>>> closed. Returning nothing gives less information. >>> As open ports still show up as open I don't see the protection. >>> If some port are open, the attacker can assume that all the >>> "filtered" ports are closed. >> Most people use a firewall because they are running services (and >> thus have open ports) which they do not want the rest of the Internet >> to be able to connect to. > > What does this have to do with "blackhole". The "blackhole" sysctl makes it somewhat harder for an intruder to figure out which ports are really closed versus which ports are being filtered, and how/where that filtering is being done. Firewalls are used to make open ports appear "filtered" to external connection attempts. Someone who assumes that all filtered ports are really closed is not making a correct assumption. >> If there exists someone who assumes all "filtered" ports are closed, >> well, wouldn't that fact demonstrate that the blackhole mechanism >> does help...? > > Help with what? From the attacker's point of view it makes little > difference if a port appears as filtered or closed. A knowledgeable security analyst or a blackhat trying to crack the network would certainly not assume "closed" and "filtered" are the same thing. Many networks have been compromised by poorly configured proxies which let skillful intruders leapfrog around the firewall by abusing the HTTP CONNECT method, including some high-profile examples at the NYTimes and other big-name companies. Other techniques include using the IP option for explicit source routing and can fool poorly designed firewall configurations into thinking the connection comes from the firewall itself, or some other trusted IP. [ ... ] >>>> These reconnection attempts will greatly slow down attempts to scan >>>> ports rapidly. >>> Which shouldn't result in a DOS anyway. The reconnection attempts >>> will even increase the inbound traffic. >> Yes, but to ports that aren't actually open. >> >> It's relatively cheap and easy to process such packets by just >> dropping them, compared with processing them in a userland daemon. > > What userland daemon? The canonical example is inetd, but any process which listen()s on a port and accept()s incoming connections would qualify as a "userland daemon". >> And I'd much rather have malicious traffic heading towards a closed >> port than towards a critical service. > > Sure, but "blackhole behaviour" alone doesn't prevent malicious traffic > from reaching critical services. True. Like the manpage said, "blackhole" isn't a substitute for a firewall. >> [ ... ] >>> Again I don't see the gain. Eventually the port scan will be >>> finished and open ports found. >> If you can flip a sysctl which increases the time it takes for >> Slammer or Nimda or some other worm to scan through all of the IP's >> on your network, the admins there have more time to respond, and >> there is a better chance that AV software will get updates to block >> the malware before too many systems get infected. > > If you already have the firewall to drop those unwanted connections > you might as well just reset them. Unfortunately, a firewall can only affect traffic which passes by it. There are plenty of cases where someone opens an attachment in a malicious email, which infects their system and causes it to scan/probe LAN IPs. Having a firewall won't do a thing to protect you from local scans. Using "blackhole" on internal machines can help this scenario somewhat. -- -Chuck