From owner-freebsd-doc@FreeBSD.ORG Tue Feb 14 18:23:00 2006 Return-Path: X-Original-To: doc@FreeBSD.org Delivered-To: freebsd-doc@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2E6016A420 for ; Tue, 14 Feb 2006 18:23:00 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4448F43D46 for ; Tue, 14 Feb 2006 18:23:00 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 6A6585C73; Tue, 14 Feb 2006 13:22:59 -0500 (EST) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 32264-05; Tue, 14 Feb 2006 13:22:58 -0500 (EST) Received: from [192.168.1.3] (pool-68-161-67-103.ny325.east.verizon.net [68.161.67.103]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 36B265C28; Tue, 14 Feb 2006 13:22:58 -0500 (EST) Message-ID: <43F2200F.60204@mac.com> Date: Tue, 14 Feb 2006 13:23:11 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Fabian Keil References: <20060213154956.058ccd65@localhost> <43F0A70F.2090006@mac.com> <20060214180705.4d4ba682@localhost> In-Reply-To: <20060214180705.4d4ba682@localhost> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: doc@FreeBSD.org Subject: Re: Concerns about wording of man blackhole X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Feb 2006 18:23:00 -0000 Fabian Keil wrote: > Chuck Swiger wrote: [ ... ] >>> In which way does this protect against stealth port scans? >> Returning a RST tells the scanner that the port is definitely closed. >> Returning nothing gives less information. > > As open ports still show up as open I don't see the protection. > If some port are open, the attacker can assume that all the > "filtered" ports are closed. Most people use a firewall because they are running services (and thus have open ports) which they do not want the rest of the Internet to be able to connect to. If there exists someone who assumes all "filtered" ports are closed, well, wouldn't that fact demonstrate that the blackhole mechanism does help...? >>> I don't understand why the "blackhole behaviour" would slow down >>> a DOS attempt. >> nmap is extremely well written, and can scan un-cooperative hosts >> better than most other programs will. Anything which uses a >> protocol-compliant TCP/IP stack will retry dropped connections >> several times if no answer is forthcoming, and will even do things >> like try to make a connection without enabling any TCP or IP options >> normally set by default. >> >> These reconnection attempts will greatly slow down attempts to scan >> ports rapidly. > > Which shouldn't result in a DOS anyway. The reconnection attempts > will even increase the inbound traffic. Yes, but to ports that aren't actually open. It's relatively cheap and easy to process such packets by just dropping them, compared with processing them in a userland daemon. And I'd much rather have malicious traffic heading towards a closed port than towards a critical service. [ ... ] >>> AFAICS the only thing it does is to decrease traceroute's >>> usefulness and to turn closed ports into filtered ports which >>> slows some kinds of port scans down for a few seconds. >> Something using the OS to do TCP/IP is going to be slowed down by >> roughly an order of magnitude, which includes many malware programs >> like worms. > > Again I don't see the gain. Eventually the port scan will be finished > and open ports found. If you can flip a sysctl which increases the time it takes for Slammer or Nimda or some other worm to scan through all of the IP's on your network, the admins there have more time to respond, and there is a better chance that AV software will get updates to block the malware before too many systems get infected. This is one of the main reasons why firewalls often drop connections rather than returning ICMP host or port unreachable messages. -- -Chuck