From owner-freebsd-doc@FreeBSD.ORG Wed Feb 15 15:07:35 2006 Return-Path: X-Original-To: doc@FreeBSD.org Delivered-To: freebsd-doc@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61A5016A422 for ; Wed, 15 Feb 2006 15:07:35 +0000 (GMT) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.18.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 87ADC43D6B for ; Wed, 15 Feb 2006 15:07:31 +0000 (GMT) (envelope-from freebsd-listen@fabiankeil.de) Received: (qmail 2812 invoked from network); 15 Feb 2006 15:07:29 -0000 Received: from unknown (HELO localhost) ([pbs]775067@[217.50.133.86]) (envelope-sender ) by smtprelay01.ispgateway.de (qmail-ldap-1.03) with SMTP for ; 15 Feb 2006 15:07:29 -0000 Date: Wed, 15 Feb 2006 16:07:25 +0100 From: Fabian Keil To: Chuck Swiger Message-ID: <20060215160725.0b6f4d40@localhost> In-Reply-To: <43F2200F.60204@mac.com> References: <20060213154956.058ccd65@localhost> <43F0A70F.2090006@mac.com> <20060214180705.4d4ba682@localhost> <43F2200F.60204@mac.com> Followup-To: freebsd-questions@freebsd.org X-Mailer: Sylpheed-Claws 2.0.0 (GTK+ 2.8.6; i386-portbld-freebsd6.0) X-PGP-KEY-URL: http://www.fabiankeil.de/gpg-keys/freebsd-listen-2006-08-19.asc Mime-Version: 1.0 Content-Type: multipart/signed; boundary=Sig_TL6rB_YurKMoTUO9iSR.8kT; protocol="application/pgp-signature"; micalg=PGP-SHA1 Cc: doc@FreeBSD.org Subject: Re: Concerns about wording of man blackhole X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Feb 2006 15:07:35 -0000 --Sig_TL6rB_YurKMoTUO9iSR.8kT Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable I set Followup-To freebsd-questions. Chuck Swiger wrote: > Fabian Keil wrote: > > Chuck Swiger wrote: > [ ... ] > >>> In which way does this protect against stealth port scans? > >> Returning a RST tells the scanner that the port is definitely > >> closed. Returning nothing gives less information. > >=20 > > As open ports still show up as open I don't see the protection. > > If some port are open, the attacker can assume that all the > > "filtered" ports are closed. >=20 > Most people use a firewall because they are running services (and > thus have open ports) which they do not want the rest of the Internet > to be able to connect to. What does this have to do with "blackhole". =20 =20 > If there exists someone who assumes all "filtered" ports are closed, > well, wouldn't that fact demonstrate that the blackhole mechanism > does help...? =20 Help with what? From the attacker's point of view it makes little difference if a port appears as filtered or closed. > >>> I don't understand why the "blackhole behaviour" would slow down > >>> a DOS attempt. > >> nmap is extremely well written, and can scan un-cooperative hosts > >> better than most other programs will. Anything which uses a > >> protocol-compliant TCP/IP stack will retry dropped connections > >> several times if no answer is forthcoming, and will even do things > >> like try to make a connection without enabling any TCP or IP > >> options normally set by default. > >> > >> These reconnection attempts will greatly slow down attempts to scan > >> ports rapidly. > >=20 > > Which shouldn't result in a DOS anyway. The reconnection attempts > > will even increase the inbound traffic. >=20 > Yes, but to ports that aren't actually open. >=20 > It's relatively cheap and easy to process such packets by just > dropping them, compared with processing them in a userland daemon. What userland daemon? > And I'd much rather have malicious traffic heading towards a closed > port than towards a critical service. Sure, but "blackhole behaviour" alone doesn't prevent malicious traffic from reaching critical services. =20 > [ ... ] > >>> AFAICS the only thing it does is to decrease traceroute's > >>> usefulness and to turn closed ports into filtered ports which > >>> slows some kinds of port scans down for a few seconds. > >> Something using the OS to do TCP/IP is going to be slowed down by > >> roughly an order of magnitude, which includes many malware programs > >> like worms. > >=20 > > Again I don't see the gain. Eventually the port scan will be > > finished and open ports found. >=20 > If you can flip a sysctl which increases the time it takes for > Slammer or Nimda or some other worm to scan through all of the IP's > on your network, the admins there have more time to respond, and > there is a better chance that AV software will get updates to block > the malware before too many systems get infected. If you already have the firewall to drop those unwanted connections you might as well just reset them. =20 Fabian --=20 http://www.fabiankeil.de/ --Sig_TL6rB_YurKMoTUO9iSR.8kT Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFD80O6jV8GA4rMKUQRAmHAAKC4jvXZZZMxLv4dUNlB4l1JgvwJuwCgtRzQ cYqX7fUJB6oHZk5mNByQiyM= =ooUu -----END PGP SIGNATURE----- --Sig_TL6rB_YurKMoTUO9iSR.8kT--