Saturday, July 6, 2013

TCP blackholing ( try to hide your close ports )

In this blog we will look at the  TCP blackhole option.


In a typical systems, when we try to connect to a close port, a reset is given back to he client  under most Unixes.

It would be represented by the following;


A pcap dump would show the following;




You notice those Reset+ACKs being sent back to the client? That's what generates the immediated  "Unable to connect to remote host" message.

This is a tell-tale sign that the port is closed. But we have another way to mask this  give away , by using the tcp-blackhole

Take this display;


The "Trying" will continue until the application  quits & times out. And no resets are ever sent back to the client from the server that he/she was trying to access.

So how do you accomplish the above?

Easy,

We deploy tcp.blackholes, using system controls ( systcl ) and on the fly modify our kernel.



So this is how we hide our close ports & from outside  lookers :)

Apply a value of 2, will drop all  packets sent to a closed port.


Ken Felix
Freelance Network/Security Engineer
kfelix   -a-t     socpuppets   -d-o-t-   com

    ^      ^
= ( * @ ) =
       o
    /     \

2 comments: