[15921] in bugtraq
Re: blackice ignoring port 113
daemon@ATHENA.MIT.EDU (Robert Graham)
Sun Jul 23 01:50:50 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <NDBBIFIKDEKCCCNINKGLCEHMDJAA.bugtraq@robertgraham.com>
Date: Sat, 22 Jul 2000 18:11:02 -0700
Reply-To: Robert Graham <bugtraq@NETWORKICE.COM>
From: Robert Graham <bugtraq@NETWORKICE.COM>
X-To: vali@iname.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <00072220034000.00686@localhost.localdomain>
BlackICE Defender ships with the following defaults. All these
defaults can be changed by the user. These settings were chosen
because we believe they provide an adequate compromise between
acceptable security and ease-of-use for the less knowledgeable
user. I stress words like "compromise" and "acceptable" because
high-security is not acceptable to most consumers.
The product is highly configurable for the expert user; though
we probably need to document things better.
Allow port 113 (TCP)
A lot of ISPs do reverse-identd lookups that cause e-mail sesssions
to timeout if they don't get back a response (RST or SYN-ACK).
Also, a lot of consumer packages install identd listeners, and
sometimes they need to be enabled in order to allow access to
their servers.
Remember that BlackICE is a network-IDS: it does check for
identd exploits even if they are allowed through the firewall
component by default.
If you want to change this, edit "firewall.ini" config file.
Allow ports above 1024
This is the default configuration as shipped. Not wonderful. It
stops most of the common mistakes users make, but lets most apps
run correctly. BlackICE does have numerous stateful-packet filters
(e.g. non-PASV FTP clients always work), but we don't have enough
to default to firewalling on all ports as shipped.
The user can change this with a click of the mouse, as well
as editing "firewall.ini".
Logging of events
We store all events to a file "attack-list.csv", but we only
"display" the most recent 50k worth of events. Beyond that,
you probably want to use 3rd party utilities like ClearICE
or Excel.
Displaying port scan data
We are criticized from both sides of not showing enough data
and showing too much. Sigh. Anyway, list of ports scanned on the
machine is stored in "attack-list.csv" as an extra column in
the file. You can display this extra column. Right-mouse-click
on the column titles in order to edit what info is displayed.
Sniffing
By default, it saves just those packets that trigger alerts.
In rare conditions, you own logon failures to your own ISP
might trigger an alert, causing that data to be saved to a file.
BlackICE has the really cool feature of being able to save a
record of all network traffic passing through the system. If
you are truly paranoid (like me), you should save all traffic.
DNS and NetBIOS lookups
I really want to disable them, but they have proven useful so
many times I believe the benefits outweigh the risks. A huge
number of users have successfully caught friends/families/enemies
this way. Remember these people who get the most value from
the product are not very knowledgeable.
What is BlackICE Defender?
BlackICE Defender is a simplified version of our full network-IDS.
It scans network traffic (non-promiscuous) looking for signs
of intrusion. A list of most intrusions it detects is at:
http://advice.networkice.com/advice/intrusions
It also contains a small personal firewall, hence the "defender"
moniker.
Robert Graham
CTO/Network ICE
-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@securityfocus.com]On Behalf Of vali
Sent: Saturday, July 22, 2000 9:27 AM
To: BUGTRAQ@securityfocus.com
Subject: blackice ignoring port 113
It's as simple as that, blackice (a somehow popular windows firewall) is
ignoring TCP trafic with destination port 113 (even with "paranoid" seting).
The most simple way to try this is
nmap -sS -p 113 -P0 victim (victim's blackice is silent)
nmap -sS -p any_other_port -P0 victim (blackice says "tcp port probe").
Tried with blackice 2.1.x (blackice.exe & vxd = 2.1.25, blackicd and
blackdll.dll = 2.1.22) on both win95 OSR 2 ans win98 SE.
This is not much, but is a simple way to flood a computer without blackice
reacting in any way. Also, if somebody is using a buggy ident server this is
fatal (irc clients install sometimes ident servers, without users
knowledge).
Other comments regarding BlackIce:
Blackice is doing a good job in stoping malformed packets "bad" for
Microsoft
IP stacks (including IGMP, fragmented ICMP aka teardrop, etc, etc). Can
detect
nmap stealth scan but there is no simple way to tell from the interface the
port scaned (if the port is not a "standard" port). Anyway, it has
extensive logging capabilities. In fact with "logging" and "evidence
logging"
enabled sniffed sessions can linger in Blackice folder, alongside with
sensitive information like passwords.
Blackice can do (automatic) DNS reverse lookup and a Netbios scan for the
atackers (wich can be a *very* bad thing). I think this feature is enabled
by
default.
Blackice seems to have some limits for the number of packets loged and for
the
alerts displayed. This is a good thing and a bad thing. This limit the
memory
used but some packets can go unnoticed (and if someone send a lot of spoofed
packets the real atack will go unnoticed).
