Chuck Swiger <[EMAIL PROTECTED]> wrote: > Fabian Keil wrote:
> >> Most people use a firewall because they are running services (and > >> thus have open ports) which they do not want the rest of the > >> Internet to be able to connect to. > > > > What does this have to do with "blackhole". > > The "blackhole" sysctl makes it somewhat harder for an intruder to > figure out which ports are really closed versus which ports are being > filtered, and how/where that filtering is being done. > > Firewalls are used to make open ports appear "filtered" to external > connection attempts. Someone who assumes that all filtered ports are > really closed is not making a correct assumption. OK I didn't think about the problem that the firewall can't reset the connection on behalf of a system behind it (at least I don't know if there is a firewall which sends resets with faked IPs) and dropping is the only way to go. While reading man blackhole I was configuring PF on my laptop, and with the possibility to let ports appear as closed, blackhole doesn't look that good. > >> If there exists someone who assumes all "filtered" ports are > >> closed, well, wouldn't that fact demonstrate that the blackhole > >> mechanism does help...? > > > > Help with what? From the attacker's point of view it makes little > > difference if a port appears as filtered or closed. > > A knowledgeable security analyst or a blackhat trying to crack the > network would certainly not assume "closed" and "filtered" are the > same thing. You're right again, I was only thinking of the case where the firewall is running on the target system and faking closed ports is as easy as letting them appear as filtered. > [ ... ] > >>>> These reconnection attempts will greatly slow down attempts to > >>>> scan ports rapidly. > >>> Which shouldn't result in a DOS anyway. The reconnection attempts > >>> will even increase the inbound traffic. > >> Yes, but to ports that aren't actually open. > >> > >> It's relatively cheap and easy to process such packets by just > >> dropping them, compared with processing them in a userland daemon. > > > > What userland daemon? > > The canonical example is inetd, but any process which listen()s on a > port and accept()s incoming connections would qualify as a "userland > daemon". I know what a userland daemon is, but on a closed port there shouldn't be one. > >> [ ... ] > >>> Again I don't see the gain. Eventually the port scan will be > >>> finished and open ports found. > >> If you can flip a sysctl which increases the time it takes for > >> Slammer or Nimda or some other worm to scan through all of the IP's > >> on your network, the admins there have more time to respond, and > >> there is a better chance that AV software will get updates to block > >> the malware before too many systems get infected. > > > > If you already have the firewall to drop those unwanted connections > > you might as well just reset them. > > Unfortunately, a firewall can only affect traffic which passes by > it. There are plenty of cases where someone opens an attachment in a > malicious email, which infects their system and causes it to > scan/probe LAN IPs. > > Having a firewall won't do a thing to protect you from local scans. > Using "blackhole" on internal machines can help this scenario > somewhat. You mean just by slowing the scan down, or is there another effect I didn't think of? Fabian -- http://www.fabiankeil.de/
signature.asc
Description: PGP signature
