Saturday, July 6, 2013

TCP blackholing ( try to hide your close ports )

In this blog we will look at the  TCP blackhole option.

In a typical systems, when we try to connect to a close port, a reset is given back to he client  under most Unixes.

It would be represented by the following;

A pcap dump would show the following;

You notice those Reset+ACKs being sent back to the client? That's what generates the immediated  "Unable to connect to remote host" message.

This is a tell-tale sign that the port is closed. But we have another way to mask this  give away , by using the tcp-blackhole

Take this display;

The "Trying" will continue until the application  quits & times out. And no resets are ever sent back to the client from the server that he/she was trying to access.

So how do you accomplish the above?


We deploy tcp.blackholes, using system controls ( systcl ) and on the fly modify our kernel.

So this is how we hide our close ports & from outside  lookers :)

Apply a value of 2, will drop all  packets sent to a closed port.

Ken Felix
Freelance Network/Security Engineer
kfelix   -a-t     socpuppets   -d-o-t-   com

    ^      ^
= ( * @ ) =
    /     \