Date: Tue, 14 Feb 2006 18:07:05 +0100 From: Fabian Keil <freebsd-listen@fabiankeil.de> To: Chuck Swiger <cswiger@mac.com> Cc: doc@FreeBSD.org Subject: Re: Concerns about wording of man blackhole Message-ID: <20060214180705.4d4ba682@localhost> In-Reply-To: <43F0A70F.2090006@mac.com> References: <20060213154956.058ccd65@localhost> <43F0A70F.2090006@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_NkBSLDjT_ZUNtNlboSUfRgC Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Chuck Swiger <cswiger@mac.com> wrote: > Fabian Keil wrote: > > |Normal behaviour, when a TCP SYN segment is received on a port > > where |there is no socket accepting connections, is for the system > > to return a |RST segment, and drop the connection. The connecting > > system will see |this as a ``Connection refused''. By setting the > > TCP blackhole MIB to a |numeric value of one, the incoming SYN > > segment is merely dropped, and no |RST is sent, making the system > > appear as a blackhole. By setting the MIB |value to two, any > > segment arriving on a closed port is dropped without |returning a > > RST. This provides some degree of protection against stealth |port > > scans. > >=20 > > In which way does this protect against stealth port scans? >=20 > Returning a RST tells the scanner that the port is definitely closed. > Returning nothing gives less information. As open ports still show up as open I don't see the protection. If some port are open, the attacker can assume that all the "filtered" ports are closed. =20 > > I don't understand why the "blackhole behaviour" would slow down > > a DOS attempt. >=20 > nmap is extremely well written, and can scan un-cooperative hosts > better than most other programs will. Anything which uses a > protocol-compliant TCP/IP stack will retry dropped connections > several times if no answer is forthcoming, and will even do things > like try to make a connection without enabling any TCP or IP options > normally set by default. >=20 > These reconnection attempts will greatly slow down attempts to scan > ports rapidly. Which shouldn't result in a DOS anyway. The reconnection attempts will even increase the inbound traffic. =20 > > Is there a known DOS vulnerability in FreeBSD > > which can be exploited by trying to connect to a closed port?=20 >=20 > Sending highly fragmented packets ("the Rose attack?") used to be > quite effective against FreeBSD, although Andre Opperman or someone > has improved the way FreeBSD handles fragment reassembly to be more > efficient since then. =20 > > I can only think of filling up the connection with useless traffic, > > but this is possible with every OS and turning the attacked system > > into a so called blackhole wouldn't make a difference unless the > > uplink is slower than the downlink and the attacker really floods > > closed ports instead of open ones.=20 >=20 > Network bandwidth is not the only finite resource used in processing > network traffic: exhausting memory of making the OS consume excessive > amounts of CPU are also DOS mechanisms. You're right, I didn't think about those. But it's unlikely that "blackhole behaviour" would make a difference. > > AFAICS the only thing it does is to decrease traceroute's > > usefulness and to turn closed ports into filtered ports which > > slows some kinds of port scans down for a few seconds. >=20 > Something using the OS to do TCP/IP is going to be slowed down by > roughly an order of magnitude, which includes many malware programs > like worms. Again I don't see the gain. Eventually the port scan will be finished and open ports found. Fabian --=20 http://www.fabiankeil.de/ --Sig_NkBSLDjT_ZUNtNlboSUfRgC Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFD8g5AjV8GA4rMKUQRAuixAJ9yUt/TYHNht5CYdr3l7jP5Cs6yawCeP/kM 562h9p4LIDRJLuQIYs65X18= =tx8T -----END PGP SIGNATURE----- --Sig_NkBSLDjT_ZUNtNlboSUfRgC--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060214180705.4d4ba682>