portscans and blackhole

[sa9k063]

Hello,

On 01/29/2014 03:31 PM, Fabian Wenk wrote:
>> net.inet.tcp.blackhole=1
>>
>> +Limiting closed port RST response from 348 to 200 packets/sec
> 
> According to the blackhole(4) manpage (from a FreeBSD 9.1 system):
> 
> ---8<------------------------------------------------------------
> SYNOPSIS
>      sysctl net.inet.tcp.blackhole[=[0 | 1 | 2]]
>      sysctl net.inet.udp.blackhole[=[0 | 1]]
> 
> Part of DESCRIPTION:

> system will see this as a “Connection refused”.  By setting the TCP
> blackhole MIB to a numeric value of one, the incoming SYN segment is
> merely dropped, and no RST is sent, making the system appear as a
> blackhole.  By setting the MIB value to two, any segment arriving on
> a closed port is dropped without returning a RST.  This provides
> some degree of protection against stealth port scans.

This added to the confusion and thus made me ask. The manpage says
for both values of net.inet.tcp.blackhole={1,2} that no RSTs are
sent out.
Both seem to drop SYNs and suppress sending a RST.

Reading it again, the only conclusion i could get to regarding the
difference between 1 and 2 would be that for a value of 2, all other
tcp packets with flags other than SYN are additionally ignored. Is
this a better way to understand it ?

> So it is possible, that you are hit with something else then SYN
> packets and should probably set net.inet.tcp.blackhole=2, or even
> with UDP packets, then also set net.inet.udp.blackhole=1.

this remains as a likely explanation, ie FIN scans etc.

> What output does 'sysctl -a | grep blackhole' show?

it used to be

net.inet.tcp.blackhole: 1
net.inet.udp.blackhole: 1

since setting the tcp value to 2 no more messages like these popped
up supporting your line of thought.

> bye
> Fabian

thank you,

Tee