:man| Alphabetical   Categories   About us 
BLACKHOLE (4) | Special files and drivers | Unix Manual Pages | :man


blackhole - a sysctl(8) MIB for manipulating behaviour in respect of refused TCP or UDP connection attempts


See Also


.Cd sysctl net.inet.tcp.blackhole[=[0 | 1 | 2]]
.Cd sysctl net.inet.udp.blackhole[=[0 | 1]]


The blackhole sysctl(8) MIB is used to control system behaviour when connection requests are received on TCP or UDP ports where there is no socket listening.

Normal behaviour, when a TCP SYN segment is received on a port where there is no socket accepting connections, is for the system to return a RST segment, and drop the connection. The connecting system will see this as a "Connection refused". By setting the TCP blackhole MIB to a numeric value of one, the incoming SYN segment is merely dropped, and no RST is sent, making the system appear as a blackhole. By setting the MIB value to two, any segment arriving on a closed port is dropped without returning a RST. This provides some degree of protection against stealth port scans.

In the UDP instance, enabling blackhole behaviour turns off the sending of an ICMP port unreachable message in response to a UDP datagram which arrives on a port where there is no socket listening. It must be noted that this behaviour will prevent remote systems from running traceroute(8) to a system.

The blackhole behaviour is useful to slow down anyone who is port scanning a system, attempting to detect vulnerable services on a system. It could potentially also slow down someone who is attempting a denial of service attack.


The TCP and UDP blackhole features should not be regarded as a replacement for ipfw(8) as a tool for firewalling a system. In order to create a highly secure system, ipfw(8) should be used for protection, not the blackhole feature.

This mechanism is not a substitute for securing a system. It should be used together with other security mechanisms.


ip(4), tcp(4), udp(4), ipfw(8), sysctl(8)



Created by Blin Media, 2008-2013