OpenBSD Journal

Networks, blackholes

Contributed by jose on from the dark-security dept.

Akhar writes: "Blaster and it's effects have got me thinking ... Is it possible to have a node on the network act as a blackhole (ie: to capture and never let go of X,Y packets). How do you protect the inside of the network as transparently as possible? for example, at my university they were prepared for blaster, and blocked ports 135, 139 and 1444 but forgot about roaming teachers. This let the worm spread like oil on water inside the network. capturing all traffic on those ports and not routing it would have helped mittigate much of the spreading. this should be possible to do, but the question really is has anyone implement a node, whose sole purpose on the network is to be a blackhole not a firewall. maybe I am mislead, in that this is just a firewall."

In some ways this is just a firewall, but by black holing it you can do other things to the traffic (such as fingerprinting it by payload inspection). Anyone using some of the niftier PF features (like policy routing and "dup-to") to do such things?

(Comments are closed)


Comments
  1. By Pete () on

    ...does it with an ACL to select "bad" traffic, and then uses policy routing (a route-map statement) to set the next hop to a null interface.

    Rememeber ,of course, to disable sending icmp-unreach on that interface.

  2. By Anonymous Coward () on

    I wish I had pf on our Cisco & Juniper core routers.

  3. By Chris Tillett () ctillett@harcourt.com on www.harcourt.com

    We are using black hole routing to send packets to null0 from bogon routes. Black hole routing allows you to send all traffic from one network to the bit bucket, but black hole routing is not application aware. I don't think you can select tcp 135 and have traffic from that port route to null0. You might be able to policy route....but that might get weird.

    Chris

    Comments
    1. By Anonymous Coward () on

      On cisco's you can do this via route-maps.. but then it kills the route forwarding, and makes it do per packet lookup.. but then again I guess it varies platform to platform... (2000/3000/6000/7000) As far as pf, can't you redirect based on source / dest port? Just point it to an address that doesn't exist! Or better yet, use lo1, and give it an ip addr, but a mask bigger than 32 bits, and that will kinda act like a blackhole....

  4. By Anonymous Coward () on


    Linux, iptables, and Labrea tarpitting. I don't know if you can do similar things with pf.

    I like OBSD, but 'right tool for the right job' and all of the jazz.

    Comments
    1. By Anonymous Coward () on

      Apparently your knowledge in computers is between
      /dev/null and /dev/zero

      Comments
      1. By knomevol () on

        word.

        i've three obsd installs. my lan isn't without a linux install though - my two-year-old boy's "pooder!" is runnin' redhat. i promised him i'd take the training wheels off his pooder when he starts tryin' to do big-boy things with it.

        the right tool for the right job is exactly correct, though used as a finger-stuck-in-the-bum example by the initial linux-tewel poster.

      2. By Anonymous Coward () on

        Some of the OpenBSD community seems to have an emotional attachement to an operating system.

        I can only hope you guys grow up, get laid, and get away from the fucking computer for a day or two.

        You know, there are other things than OpenBSD, no?

        Comments
        1. By Anonymous Coward () on

          There are other things than OpenBSD??? You serious? ;-)

        2. By Anonymous Coward () on

          Ooo! Lookie! A troll!

          [whips out the baka-hammer]

          "Some of the OpenBSD community seems to have an emotional attachement to an operating system."

          Nah. Particularly relatively speaking. Mac advocates and particular Linux and GPL zealots go way above board anything I've seen on the OBSD mailing lists or here.

          And if any group had an excuse to get an emotional attachment to their OS, it'd be with what they put sweat equity in. I'd be surprised if a creator did not defend his or her work, especially if years of hand-crafting, review, and ongoing changes were made.

          "I can only hope you guys grow up, get laid, and get away from the fucking computer for a day or two."

          Odd how it always seems that those that say "grow up, get laid" are the ones that come off having haven't.

          I don't hear OBSD folks publicly lamenting not getting laid a lot. Reading /. postings for over 5 years, OTOH, there are plenty that seem to publicly relate that they do not get enough (or any, for that matter). Not that this is really relevant, but you brought it up.

          As to staying away from the computer, to each their own, I say. No business of yours what I or anyone else spends their time on. Particular if their business and livelihood is dependent on computers--something you seem wholly unaware or just ignorant of. OBSD, like Linux or commercial OSs, isn't exactly an OS that caters to just hobbiests or wannabes. I, myself, learned of OBSD when in school circa 1997, about the same time I started reading (to my current dismal embarrassment and much duress) slashdot.

          "You know, there are other things than OpenBSD, no?"

          Yes. But what do you know about them? You certainly don't appear very OBSD aware, so hopefully you are good at something else.

          re computer OSs, unfortunately, yes, there are.

          Oh, you mean in general? Gee, really. If there weren't, one would live a very short and, depending on your point of view, constipated or starved existence. (Which, given your focus on OBSD folks getting laid, probably rather indicative of your sex-starved existence.)

          [looks down at the troll smear, shifts the baka-hammer back into its transdimensional storage space for future usage]

          Comments
          1. By Anonymous Coward () on

            hi again.

            [no i dont have any baka-hammer, nor any troll-mascot]

            i think you missunderstood a lot of the post (or ignored the real points made; you certainly seems to be intelligent enough to understood them, at least).

            and, as far as my OpenBSD awareness is concerned, i do follow OpenBSD. i use it for commercial solutions, i use it home, i use for development and i've been keeping track on it since 2.3.

            and, even though i would probably use OpenBSD in many situations, i would still not flame other people in the case of a solution based on another operating system.

            and by all means, sure, people should protect themselves and their work, in particular something that involves such a big group of people like openbsd, but telling people to, more or less, fuck off, isn't of much help if you look from an outside perspective. this is just a childish behaviour; thus grow up (in any sense of the two words). as far as the "get laid"-thing is concerned, i guess i have pretty much to catch up on myself.

            [a new t-shirt, new pants and out we go!]

        3. By Anonymous Coward () on

          Feeling guilty are you?

          You'd only say this to assure yourself that this doesn't apply to you, when it does.

          Do you think freespeech applies to trolls like yourself? Think again.

    2. By jose () on http://monkey.org/~jose/

      ok, so tell us why that's the only tool for the job. oh wait, it's not. that's right, you don't know what you're talking about because you appearantly didn't read the pf docs.

      pf's "dup-to", some arpd, and some SYNACK player like labrea can be useful. or throw various other tools on there. the posibilities are endless, but you can see how a blackhole option like this (aside from route-to 127.0.0.1) can be useful to discover information about your traffic. throw this on an edge device and you don't need to throw a sniffer on the line, you are getting all packets duplicated to your box already.

  5. By A () on

    Once you are a network manager, you can scan all the hosts on your network and disconnect them , fix and reconnect (takes time, but you may log attempts to outside 135/tcp to find evil ones wuicker)

  6. By Noob () on

    The solution that I implemented which seemed to work great was to make certain that every machine we had was running OpenBSD. When I heard news about these issues my only response was "Oh ya, huh, interesting."

  7. By Anonymous Coward () on

    yup, tarpitting. just read an article about this yesterday on securityfocus:

    http://www.securityfocus.com/infocus/1723

    They show you how to do it with linux, but OpenBSD is supported. Check out the project page:

    http://labrea.sourceforge.net/labrea-info.html

    Good Stuff ;)

    Comments
    1. By Anonymous Coward () on

      http://infosecuritymag.techtarget.com/2003/jun/cooltools.shtml

      In the article, they describe using passive OS fingerprinting with application-aware extensions to compile a list of problem machines (i.e Windows computers running vunerable versions of outlook.

      If you were to combine that with tarpitting/blackholing, then you might not have to worry so much about whether you had crap on your network; it would be somewhat of a fascist network to be on, but it might be a little more secure.

      Hell, you could even alter the TCP stack on a transparent bridging host to have certain idiosyncracies slightly off-kilter from the norm (while still leaving them "standard" in most respects...)and create a publicly visable, privately accessible subnet that only allows your particular flavor of packets to get through. To the rest of the world, it would appear as if that segment were down.

      Possibilities, possibilities...

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]