Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

blackhole(4) [freebsd man page]

BLACKHOLE(4)						   BSD Kernel Interfaces Manual 					      BLACKHOLE(4)

blackhole -- a sysctl(8) MIB for manipulating behaviour in respect of refused TCP or UDP connection attempts SYNOPSIS
sysctl net.inet.tcp.blackhole[=[0 | 1 | 2]] sysctl net.inet.udp.blackhole[=[0 | 1]] DESCRIPTION
The blackhole sysctl(8) MIB is used to control system behaviour when connection requests are received on TCP or UDP ports where there is no socket listening. Normal behaviour, when a TCP SYN segment is received on a port where there is no socket accepting connections, is for the system to return a RST segment, and drop the connection. The connecting system will see this as a ``Connection refused''. By setting the TCP blackhole MIB to a numeric value of one, the incoming SYN segment is merely dropped, and no RST is sent, making the system appear as a blackhole. By setting the MIB value to two, any segment arriving on a closed port is dropped without returning a RST. This provides some degree of protection against stealth port scans. In the UDP instance, enabling blackhole behaviour turns off the sending of an ICMP port unreachable message in response to a UDP datagram which arrives on a port where there is no socket listening. It must be noted that this behaviour will prevent remote systems from running traceroute(8) to a system. The blackhole behaviour is useful to slow down anyone who is port scanning a system, attempting to detect vulnerable services on a system. It could potentially also slow down someone who is attempting a denial of service attack. WARNING
The TCP and UDP blackhole features should not be regarded as a replacement for firewall solutions. Better security would consist of the blackhole sysctl(8) MIB used in conjunction with one of the available firewall packages. This mechanism is not a substitute for securing a system. It should be used together with other security mechanisms. SEE ALSO
ip(4), tcp(4), udp(4), ipf(8), ipfw(8), pfctl(8), sysctl(8) HISTORY
The TCP and UDP blackhole MIBs first appeared in FreeBSD 4.0. AUTHORS
Geoffrey M. Rehmet BSD
January 1, 2007 BSD

Check Out this Related Man Page

SYNCACHE(4)						   BSD Kernel Interfaces Manual 					       SYNCACHE(4)

syncache, syncookies -- sysctl(8) MIBs for controlling TCP SYN caching SYNOPSIS
sysctl net.inet.tcp.syncookies sysctl net.inet.tcp.syncookies_only sysctl net.inet.tcp.syncache.hashsize sysctl net.inet.tcp.syncache.bucketlimit sysctl net.inet.tcp.syncache.cachelimit sysctl net.inet.tcp.syncache.rexmtlimit sysctl net.inet.tcp.syncache.count DESCRIPTION
The syncache sysctl(8) MIB is used to control the TCP SYN caching in the system, which is intended to handle SYN flood Denial of Service attacks. When a TCP SYN segment is received on a port corresponding to a listen socket, an entry is made in the syncache, and a SYN,ACK segment is returned to the peer. The syncache entry holds the TCP options from the initial SYN, enough state to perform a SYN,ACK retransmission, and takes up less space than a TCP control block endpoint. An incoming segment which contains an ACK for the SYN,ACK and matches a syncache entry will cause the system to create a TCP control block with the options stored in the syncache entry, which is then released. The syncache protects the system from SYN flood DoS attacks by minimizing the amount of state kept on the server, and by limiting the overall size of the syncache. Syncookies provides a way to virtually expand the size of the syncache by keeping state regarding the initial SYN in the network. Enabling syncookies sends a cryptographic value in the SYN,ACK reply to the client machine, which is then returned in the client's ACK. If the corre- sponding entry is not found in the syncache, but the value passes specific security checks, the connection will be accepted. This is only used if the syncache is unable to handle the volume of incoming connections, and a prior entry has been evicted from the cache. Syncookies have a certain number of disadvantages that a paranoid administrator may wish to take note of. Since the TCP options from the initial SYN are not saved, they are not applied to the connection, precluding use of features like window scale, timestamps, or exact MSS sizing. As the returning ACK establishes the connection, it may be possible for an attacker to ACK flood a machine in an attempt to create a connection. While steps have been taken to mitigate this risk, this may provide a way to bypass firewalls which filter incoming segments with the SYN bit set. To disable the syncache and run only with syncookies, set net.inet.tcp.syncookies_only to 1. The syncache implements a number of variables in the net.inet.tcp.syncache branch of the sysctl(3) MIB. Several of these may be tuned by setting the corresponding variable in the loader(8). hashsize Size of the syncache hash table, must be a power of 2. Read-only, tunable via loader(8). bucketlimit Limit on the number of entries permitted in each bucket of the hash table. This should be left at a low value to minimize search time. Read-only, tunable via loader(8). cachelimit Limit on the total number of entries in the syncache. Defaults to (hashsize x bucketlimit), may be set lower to minimize memory consumption. Read-only, tunable via loader(8). rexmtlimit Maximum number of times a SYN,ACK is retransmitted before being discarded. The default of 3 retransmits corresponds to a 45 second timeout, this value may be increased depending on the RTT to client machines. Tunable via sysctl(3). count Number of entries present in the syncache (read-only). Statistics on the performance of the syncache may be obtained via netstat(1), which provides the following counts: syncache entries added Entries successfully inserted in the syncache. retransmitted SYN,ACK retransmissions due to a timeout expiring. dupsyn Incoming SYN segment matching an existing entry. dropped SYNs dropped because SYN,ACK could not be sent. completed Successfully completed connections. bucket overflow Entries dropped for exceeding per-bucket size. cache overflow Entries dropped for exceeding overall cache size. reset RST segment received. stale Entries dropped due to maximum retransmissions or listen socket disappearance. aborted New socket allocation failures. badack Entries dropped due to bad ACK reply. unreach Entries dropped due to ICMP unreachable messages. zone failures Failures to allocate new syncache entry. cookies received Connections created from segment containing ACK. SEE ALSO
netstat(1), tcp(4), loader(8), sysctl(8) HISTORY
The existing syncache implementation first appeared in FreeBSD 4.5. The original concept of a syncache originally appeared in BSD/OS, and was later modified by NetBSD, then further extended here. AUTHORS
The syncache code and manual page were written by Jonathan Lemon <>. BSD
January 22, 2008 BSD

Featured Tech Videos