From owner-freebsd-questions@FreeBSD.ORG Thu Feb 16 11:20:53 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 788A216A420 for ; Thu, 16 Feb 2006 11:20:53 +0000 (GMT) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.18.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93FA543D48 for ; Thu, 16 Feb 2006 11:20:52 +0000 (GMT) (envelope-from freebsd-listen@fabiankeil.de) Received: (qmail 30048 invoked from network); 16 Feb 2006 11:20:50 -0000 Received: from unknown (HELO localhost) ([pbs]775067@[217.50.128.59]) (envelope-sender ) by smtprelay01.ispgateway.de (qmail-ldap-1.03) with SMTP for ; 16 Feb 2006 11:20:50 -0000 Date: Thu, 16 Feb 2006 12:20:49 +0100 From: Fabian Keil To: Chuck Swiger Message-ID: <20060216122049.5beb1c33@localhost> In-Reply-To: <43F3496D.2060003@mac.com> References: <20060213154956.058ccd65@localhost> <43F0A70F.2090006@mac.com> <20060214180705.4d4ba682@localhost> <43F2200F.60204@mac.com> <20060215160725.0b6f4d40@localhost> <43F3496D.2060003@mac.com> X-Mailer: Sylpheed-Claws 2.0.0 (GTK+ 2.8.6; i386-portbld-freebsd6.0) X-PGP-KEY-URL: http://www.fabiankeil.de/gpg-keys/freebsd-listen-2006-08-19.asc Mime-Version: 1.0 Content-Type: multipart/signed; boundary=Sig_sRT4BcuAkyngWTNsVCz5kkj; protocol="application/pgp-signature"; micalg=PGP-SHA1 Cc: freebsd-questions@freebsd.org Subject: Re: Concerns about wording of man blackhole X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Feb 2006 11:20:53 -0000 --Sig_sRT4BcuAkyngWTNsVCz5kkj Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Chuck Swiger wrote: > Fabian Keil wrote: > >> Most people use a firewall because they are running services (and > >> thus have open ports) which they do not want the rest of the > >> Internet to be able to connect to. > >=20 > > What does this have to do with "blackhole". =20 >=20 > The "blackhole" sysctl makes it somewhat harder for an intruder to > figure out which ports are really closed versus which ports are being > filtered, and how/where that filtering is being done. >=20 > Firewalls are used to make open ports appear "filtered" to external > connection attempts. Someone who assumes that all filtered ports are > really closed is not making a correct assumption. OK I didn't think about the problem that the firewall can't reset the connection on behalf of a system behind it (at least I don't know if there is a firewall which sends resets with faked IPs) and dropping is the only way to go. While reading man blackhole I was configuring PF on my laptop, and with the possibility to let ports appear as closed, blackhole doesn't look that good.=20 =20 > >> If there exists someone who assumes all "filtered" ports are > >> closed, well, wouldn't that fact demonstrate that the blackhole > >> mechanism does help...? > > =20 > > Help with what? From the attacker's point of view it makes little > > difference if a port appears as filtered or closed. >=20 > A knowledgeable security analyst or a blackhat trying to crack the > network would certainly not assume "closed" and "filtered" are the > same thing. You're right again, I was only thinking of the case where the firewall is running on the target system and faking closed ports is as easy as letting them appear as filtered. =20 > [ ... ] > >>>> These reconnection attempts will greatly slow down attempts to > >>>> scan ports rapidly. > >>> Which shouldn't result in a DOS anyway. The reconnection attempts > >>> will even increase the inbound traffic. > >> Yes, but to ports that aren't actually open. > >> > >> It's relatively cheap and easy to process such packets by just > >> dropping them, compared with processing them in a userland daemon. > >=20 > > What userland daemon? >=20 > The canonical example is inetd, but any process which listen()s on a > port and accept()s incoming connections would qualify as a "userland > daemon". I know what a userland daemon is, but on a closed port there shouldn't be one. =20 > >> [ ... ] > >>> Again I don't see the gain. Eventually the port scan will be > >>> finished and open ports found. > >> If you can flip a sysctl which increases the time it takes for > >> Slammer or Nimda or some other worm to scan through all of the IP's > >> on your network, the admins there have more time to respond, and > >> there is a better chance that AV software will get updates to block > >> the malware before too many systems get infected. > >=20 > > If you already have the firewall to drop those unwanted connections > > you might as well just reset them. >=20 > Unfortunately, a firewall can only affect traffic which passes by > it. There are plenty of cases where someone opens an attachment in a > malicious email, which infects their system and causes it to > scan/probe LAN IPs. >=20 > Having a firewall won't do a thing to protect you from local scans. > Using "blackhole" on internal machines can help this scenario > somewhat. You mean just by slowing the scan down, or is there another effect I didn't think of? Fabian --=20 http://www.fabiankeil.de/ --Sig_sRT4BcuAkyngWTNsVCz5kkj Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFD9GAbjV8GA4rMKUQRAgMjAKDham8Lqh2I+GVcFP3qYY7t2eoQsACfQbgk kN20jXnfjcenrOBXaGVZuX4= =2gI1 -----END PGP SIGNATURE----- --Sig_sRT4BcuAkyngWTNsVCz5kkj--