Embed Size (px)
Citation preview
1/9
Analysis of ESET Smart Security 6 personal firewall’s thresholds and detection of various network attacks
Andrej Šimko
359952
08.05.2013
Project on Advanced Topics in IT Security
1. Introduction The main goal of this project is to observe attacks on ESET Smart Security 6’s firewall, to discover the
ability to detect various attacks coming from the same LAN, and find out thresholds of triggering
warning/detection relevant to those attacks.
2. Testing environment: To simulate firewall’s reaction in real-life scenario, 2
notebooks (first one, the attacker without any
antivirus/firewall system present; and second one the
victim with Windows 7 64-bit installed, and ESET Smart
Security 6 turned on) were present, connected through
cables (or wireless) to intermediate device - router, which
was resetted to default factory settings. Victim’s IPv4
address is 192.168.0.101, attacker’s 192.168.0.100 and
router’s 192.168.0.1.
3. About ESET Smart Security 6 ESET Smart Security 6.0.316.0 is the newest version of commercial
internet security suite from company ESET for end user devices, such as
computers or laptops. It gives end station complex protection, since it
integrates antivirus, firewall, Intrusion Detection System, Host Intrusion
Prevention System, antispam, parental control, and other means of
protection. It has gotten multiple awards throughout entire world [1].
2/9
4. Port scanning Port scanning is technique of discovering open ports on host computer, or any other network device.
If there are any open ports, attacker might be able to use them to mount some kind of attack. On the
other hand, port scanning is widely used from network administrator positions to find out, whether
computer ports are secured enough. One of the best widely available tools that specializes on
different scans and various options is Nmap, which was used to lunch port scanning attacks on ESET
Smart Security 6’s firewall, and thus test it’s reactions, capabilities, and thresholds of scanning ports.
Manual page to Nmap with lots examples and explanations can be found on [4].
4.1. TCP SYN = “-sS” This default variant of port scanning in Nmap is very quick and stealthy, since it never completes TCP
connection. It isn’t platform specific, so it works on any platform. It differentiates between open
(reply to SYN packet is SYN/ACK or SYN), closed (RST is received) and filtered (if no response is
received, or ICMP unreachable error is received) state of ports.
4.2. TCP Connect() = “-sT” This technique is used, when user doesn’t have privileges to raw packets - Nmap asks operating
system to establish entire TCP connection with port on destination machine. It is much slower
variant, then TCP SYN scan that requires more packets. Using this technique, target machine is more
likely to log the connection.
4.3. TCP NULL, FIN, XMAS = “-sN”, “-sF”, “-sX” These scans are based on loophole in TCP RFC document to differentiate between open and closed
ports. If system is compliant with RFC text, closed port is indicated by returning RST if any packet
doesn’t contain SYN, RST or ACK bits. If no response is received, port is designated open|filtered. If
ICMP unreachable error is received, port is marked as filtered. However, not all operating systems
follow RFC 793 to the letter, resulting in all ports being labeled as closed. Such systems are from
Microsoft or CISCO and their response is RST no matter if port is open or closed. But this scan should
work on most UNIX-based systems.
4.4. TCP ACK = “-sA” This variant is slightly different from all others, because it does not determine if ports are open or
closed, but it rather differentiates if ports are filtered or unfiltered. This is done by sending packets
with only ACK bit. If ports are unfiltered, they response with RST packet no matter if they are open or
closed. Ports that send ICMP unreachable error or don’t send any reply at all are marked as filtered.
4.5. TCP Window = “-sW” Window scan is exactly the same as TCP ACK scan, but thanks to some implementation details of
some systems, it is able to differentiate also between open and closed ports. It does so by examining
if window size is zero or positive number, because some systems respond with zero window size if
3/9
ports are closed, and positive number if ports are opened. However, this type of scan is not
trustworthy, because only minority of systems are behaving in this way.
4.6. TCP Maimon = “-sM” Named after its discoverer, Maimon scan is behaving like NULL, FIN or XMAS scan. The only
difference is that probe has FIN/ACK bits set. According to TCP RFC, RST packet should be generated
as response to such probe, no matter if port is open/closed. However, some systems simply drop
packet if the port is open.
4.7. UDP = “-sU” UDP scan is much slower then scanning TCP, because probe responses may be lost, and many
systems (mainly Linux ones) have set limit in generating ICMP destination unreachable messages to
one per second. For most common ports, Nmap sends protocol-specific payload, and for other ports
the payload is left empty. If particular ICMP port unreachable is received, port is labeled as closed. If
other ICMP unreachable errors are received, port is marked as filtered. If UDP response is generated,
port is designated as open. If no response is received, port is classified as open|filtered.
4.8. SCTP INIT = “-sY” SCTP is new protocol that is an alternative to TCP/UDP. SCTP INIT is SCTP equivalent to TCP SYN,
because it doesn’t establish entire connection. It differentiates between open, closed and filtered
ports.
4.9. SCTP COOKIE ECHO = “-sZ” More advanced variant of SCTP scanning that is even stealthier then SCTP INIT. The disadvantage is
inability to differ between open and filtered ports.
4.10. Service/version detection = “-sV” Nmap is also able to tell, what kind of service protocol is run on selected port (Telnet, SSH, FTP, …),
application name (Apache httpd, Solaris telnetd…), version number, hostname, type of device
(router, printer…), OS family (Windows, Linux…).
5. Port scanning and ESET Smart Security 6 I have used default scanning options (“nmap -[technique] 192.168.0.101”, where “[technique]” was
chosen from {-sS, -sT, -sN, -sF, -sX, -sA, -sW, -sM, -sU, -sY, -sZ, -sV}) to discover which scanning
techniques are detectable on ESET Smart Security 6. I found out, that ESET Smart Security 6 is able to
successfully detect following Nmap methods: TCP SYN, TCP Connect(), UDP, and service/version
detection. It however completely lacks the ability to detect following scanning methods: TCP ACK,
TCP Window, TCP Maimon, TCP Null, TCP FIN, TCP XMAS, SCTP INIT, SCTP COOKIE-ECHO. Nmap’s
default number of scanned ports is set to 1000 ports, and only SCTP uses only less (52) ports that
have all been scanned.
4/9
Next, I tried to observe how many ports can be scanned with all detected methods without detecting
it. I found out, that if anyone is scanning only 8 ports ESET Smart Security 6 won’t detect it at all (but
scanning 9 ports will be detected!). The example can be “nmap -p 190-197 192.168.0.101”. I also
discovered, that having scanned ports in non-random consecutive fashion (e.g. scanning ports in
ascending order, like 190, 191, 192, 193, 194; apart from scanning in random fashion, like 194, 190,
192, 193, 191) has none effect on detection of scanning. Another setting that has no effect on
detection ability is scanning top ports, so I would recommend everyone to use “--top-ports” in any
command, since it is higher probability of finding an open ports.
There is also a way how to scan all ports with techniques that are detectable by ESET Smart Security
6. One can either have “--max-rate 1” or “--scan-delay 1” set. Both options limit scanning to 1 port
per second, but they are not detectable at all by this firewall. When setting “--scan-delay” to 0.9, or
“--max-rate” to 1.1 they are detected, so setting either of them to 1 is the right choice.
Another method of how to successfully evade scanning detection is to use fragmentation. When set
to 8 or 16, both TCP SYN and Service/version detection can be used without limiting number of scans
per second. One can achieve this by setting command to “nmap -f --mtu 16 -technique
192.168.0.101”, where “-technique” can be {-sS, -sV} and ”--mtu” can be {8, 16}. Setting maximum
transfer unit to higher than 16 will cause successful detection of port scanning. However, TCP
Connect() and UDP are detected no matter the fragmentation.
UDP Scan has many unique properties that I discovered while testing it. It seems that it doesn’t have
specific default threshold values set, but rather some adaptive kind. I’ve tried to approximate “--max-
rate” parameter with its value as high as possible, but I observed following situation: when set
directly to anything higher than 6, it is detected immediately. However, when it is set to 6, then 11,
and again and again incremented by 5, it is detected only when setting to 51. After one successful
detection, it is again impossible to do undetected scan, unless set to 6 or lower and start the process
again. I tried incrementing it by other values then 5, and the highest possible value was 9. While
incrementing with 9, successful detection was at number 60. The exact command I used was “nmap -
n --top-ports 100 --max-rate 6 -sU 192.168.0.101”. On the other hand, “--scan-delay” set to 0.05
works perfectly and is undetectable, while when set to 0.04, it is detected.
6. ARP Spoofing Using Cain & Abel, I was able to mount ARP spoofing/poisoning attack. Since there is nice GUI
environment, I saw that it Cain & Abel was unable to lunch successful ARP spoofing attack to given IP
address (no matter the settings in Cain & Abel), when ESET Smart Security 6 was turned on. It was
successfully detected as “Detected ARP cache poisoning attack” and countered by not allowing traffic
to go through attacker. When however firewall was turned off, and then while attacking it was
turned on, old and new connections were successfully routed through attacker. Yes, they were
detected, but not countered. I haven’t found any way of making ARP spoofing attack undetected.
5/9
7. Denial of Service DOS attack is an attempt to make devices or entire network unavailable for legitimate users. There
exists dedicated software on DOS attacks that were created to lunch attack on web servers, based on
their URL. Example of such software can be BamBam [2]. Other programs I found have the capability
to lunch DOS attack on some computer (also) by typing it’s IP address, like Low Orbit Ion Cannon [3].
7.1. Flooding with Low Orbit Ion Cannon This tool can be used to target web servers based on their URL, or any computer based on IP. User
have also capability to set attack options like timeout, HTTP subsite or TCP/UDP message=payload,
attacked port, method (TCP, UDP or HTTP), number of threads (how many users it emulates), ability
to wait for replay and speed of attacking. I tried all 3 methods, and since there is no web-server run
on my victim’s computer, HTTP attack didn’t do anything. TCP attack did also nothing to my network.
On the other hand, UDP attack, firing up to 50 000 packets per second did about 38% of network
utilization. I think this number would be even higher, if my attacker’s netbook was better equipped
(since it’s CPU was used to 100%). ESET Smart Security 6 was unable to detect any of these attacks
done by LOIC. When I tried to attack from victim to attacker (simply because of better equipped
hardware), I was able to utilize network to 45% and CPU of computer I attacked on to about 80%.
With option ”wait for reply” checked, network was utilized to 73% and CPU to 90%. So using this tool,
one can attacked network without the detection of ESET Smart Security 6.
7.2. Flooding with Hping3 Using tool Hping3 (manual pages can be found
on [5]), I was able to also test another flooding
attacks. While testing ICMP flood with “--flood”
option (which means sending packets as fast as
possible, but also ignoring incoming replies),
network utilization of 100Mb/s network
connection on victim’s computer was rather strange (see picture) and it didn’t matter if firewall was
on or off. Of course, ESET Smart Security 6 has successfully detected that attack was in progress
(“Detected ICMP Flooding attack”). I noticed, that when not using “--flood” option, “hping3 --
icmp 192.168.0.101” is receiving successful responses from victim. I tried to find threshold and while
using waiting interval between sending packets (“-i u24650”), there was 0% packet loss and it was
not detected (although, with network utilization of only 0.03%, it is hardly DOS type of attack).
Anything lower then this bound was detected by firewall, and it started to drop some packets. For
example when using u24000, attack was detected along with 2% packet loss. The detection threshold
is set to 201 packets. If 202 packets are sent to victim, ESET Smart Security 6 detects attack in
progress. These 201 undetected packets can be sent 1 microsecond apart from each other (with “-i
u1” command). Another way around detection is using “--rand-source” which isn’t detected at all,
nor there are any message logged in firewall’s logs. Yet another successful way of avoiding detection
was setting data size to some high number (for example to “-d 22304”), which also utilized over
98.4% of network (constantly, not in peaks like it was shown in the picture), and this time without
any detection.
6/9
When trying to flood victim with UDP flood (“hping3 --udp --flood 192.168.0.101”), victim’s network
adapter was utilized to continuous 71.5% and one of 8 CPUs was utilized to about 50%. This attack,
however, was not detected by ESET Smart Security 6, but there were hundreds of warning messages
in logs saying “Detected unexpected data in protocol”, so this attack can be noticed. This warning
messages can also be countered by adding “--destport 80” or other port (I also tried port 89), which
makes this attack really undetectable and successful. Like with ICMP flooding, one can add more data
bytes to utilize more network, but it also from some reason lowers CPU usage of 1 CPU from 50% to
about 1%.
Almost the same results were observed by trying “--rawip”, which creates TCP packets. If however
data value was not set (left to default setting), there were hundreds of warning messages in logs
telling “Incorrect TCP packet length”. This of course was easy to cope with by again setting data
parameter to some value. Maximum network utilization was again somewhere around 98.4% when
using big data packets, but there was no need to set destination port - TCP packets doesn’t generate
“Detected unexpected data in protocol” warning message in logs.
7.3. IPv6 ICMP router advertisement Using this attack, anyone can disable entire network of Windows based devices from 1 device which
is generating only few packets per second. The main idea of this attack is in behavior of IPv6. In IPv4,
when host/client told router/DHCP server “I need an IP”, he obtained one. IPv6 works in different
way: when host connects to network, router is the one who tells “I’m your router, join my network”
and host only replies “ok, I will”. Thus, every client on LAN creates an address and joins the network.
To use this attack, I used 3 commands in Backtrack: “cd /usr/local/bin”, “./fake_router6 eth0
def:c0::/64” to advertise attacker’s PC as IPv6 router, then I’ve waited few seconds so that victim’s PC
would notice new router, and then finally started flooding with “flood_router6 eth0”. Although this
type of flood was utilizing network only on about 0.5%, it rendered my Intel i7 with 8 logical CPUs
and 8 GB of RAM almost completely frozen in seconds (which is nice since attacker’s netbook is only
single-core 1.7GHz Athlon) - I wasn’t even able to move my mouse. ESET Smart Security 6 did not
detected this DOS attack, which I find rather strange, since attacker was firing thousands of packet
per second (although, it only takes about 5 packets per second to drive CPU to 100%). After issuing
command “ipconfig | more” on victim’s computer, there were of course many IPv6 addresses. What
good firewall should be able to do with this attack is to block rogue Router Advertisements. Which
could be again attacked if traffic had source IP address of legitimate router, but it would still be
better than nothing. Or at least, detecting multiple IPv6 router advertisements packets and dropping
some of them would be huge improvement. I’ve sent an email to ESET asking whether there is
possibility to detect/
protect against this
attack and got reply
within 24 hours, but
they haven’t answered
any of my questions.
7/9
7.4. 2 ARP spoofing attacks at once Another type of DOS attack, this time to attack the network connection itself, was done be setting
ARP spoofing twice with swapped IP addresses of victim and router. This was done in Backtrack, by
first setting attacker’s machine to forwarding mode: “echo 1 > /proc/sys/net/ipv4/ip_forward”. Then,
setting up ip table to intercept HTTP requests was done (by command “iptables -t nat -A
PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1000”). Convincing network it should
send their traffic to my machine was done by “arpspoof -i eth0 -t 192.168.0.101 192.168.0.1”. Second
arpspoof, which ended in Denial of Service was “arpspoof -i eth0 -t 192.168.0.1 192.168.0.101”. This
attack was detected as “Detected ARP cache poisoning attack” and also “Identical IP addresses
detected in network”. Network seemed unused (0-0.01% of utilization), but when trying to connect
to internet, Google Chrome returned “Error 105 (net::ERR_NAME_NOT_RESOLVED): Unable to
resolve the server's DNS address”. Internet connection was thus entirely disabled. The conclusion is
that ESET Smart Security 6 can effectively handle one ARP spoofing, but not multiple spoofings that
result in DOS.
7.5. deAuthentication attack Yet another DOS attack that isn’t detected by ESET Smart Security 6 is sending deAuthentication
packets, when victim is connected via wireless. While in Backtrack, I issued “airmon-ng start wlan0”,
then “airodump-ng mon0” to discover access point’s (my router’s) BSSID/MAC address. When this
was done, I simply started flooding deAuthentication packets to either entire network to disconnect
all computers on it (“aireplay-ng -0 0 -a [BSSID of router] mon0”) or just selected computer (“-c [MAC
of victim]” was added). Neither one of these attack has been noticed by ESET Smart Security 6. The
only way of noticing it was the inability of Windows to connect to wireless LAN. This attack can be
also done with “mdk3” command: “mdk3 mon0 d -b blacklist -c 11”, where “blacklist” is file with
BSSID of station (“echo [target BSSID] > blacklist”) and “11” is channel which is easily found at output
of “iwlist wlan0 scan”. I’ve also asked ESET company about detecting this type of attack - they first
tried to convince me that this attack will be detected as ARP spoof, since they were pretty sure that
ARP spoofing is needed to perform this type of attack, but after another email exchange they told me
there is no way in ESET Smart Security 6 to detect this type of attack.
8. Relevant settings in ESET Smart Security 6 All relevant settings are located in Advanced Setup/Network/Personal Firewall/IDS and advanced
options. User can turn on/off the detection of various attacks separately (ARP Poisoning, DNS
Poisoning, TCP Port Scanning, UDP Port Scanning), with ability to “Block unsafe address after
detection”. This is useful option for end users, which is defaultly enabled. The threshold of this
blocking timer after successfully detecting an attack is set to exactly 10 minutes, without any way of
changing it.
8/9
However, ESET Smart Security 6 lacks any option to set timers for various detections. I didn’t found
that something like this would be possible. Another disadvantage from my point of view is, that in
Log files to personal firewall, there isn’t any information about precise type of attack (e.g. when the
attack is Port Scanning, it displays only TCP or UDP as protocol, but none information about which
flags where used in packet, or if connection was successfully established/only TCP SYN packet was
sent from attacker). Only things logged and always recorded are: Time (without milliseconds), Event,
Source, Target and Protocol; where both source and target addresses are in IP_address:port form
(when the protocol is TCP or UDP; otherwise only IP addresses are shown). One can filter log by
record type (Diagnostic, Informative, Warnings, Errors, Critical), where all attacks I did were
designated as Critical. There were also logged some Warning messages (Incorrect TCP packet length,
Suspicious IP packet fragment, Detected unexpected data in protocol). When I turned on defaultly
disabled setting “Log all blocked connections”, I was able to observe packets being blocked when
trying to port scanning. There were 2 types of logged messages that something is blocked, but both
were only Informative. First one was with default setting of blocking unsafe address after detection:
“Address temporarily blocked by active defense (IDS)”. Second one was when this setting was turned
off: “Packet blocked by active defense (IDS)”.
The last thing I’m missing is some dialogue or information to the user, what can be/is being done
while attack is detected. I observed that detecting ARP poisoning attack successfully prevents
attacker from routing communication through him, but there is no information about it. If I was user
and saw this warning that I’m being attacked, I would use some information that there is nothing to
be afraid of, since this attack is successfully countered. Or after detecting port scanning, just add
some information about that attacker is temporarily blocked (if this setting is in affect). Also, there
could be simple button “find out more about this type of attack” pointing to ESET’s knowledge base,
so user can directly find relevant information about that particular type of attack and if he should be
afraid of something, or not.
9/9
9. Email to ESET tech support After these findings, I tried to write an email to ESET, asking them detection/possible protection
about IPv6 router advertisement attack, detection of deAuthentication packets, and possibility of
setting thresholds of detection of other attack types. I got reply within 24 hours, but it was really
inaccurate. They tried to tell me all those attacks I asked are detected within “IDS and advanced
options” settings; and that since deAuthentication attack first needs successful ARP poisoning to be
done, it is detected when trying ARP poisoning attack. Another inaccuracy they told me was that TCP
flooding is also detectable. After another email exchange with ESET they admitted that
deAuthentication attack isn’t detectable by their firewall, but didn’t answer any of my other
questions, so I stopped trying to communicate with them.
10. Conclusion There exists multiple easy-doable attacks from widely available (free) software on the Internet. Many
of them are undetectable on systems with ESET Smart Security 6 with default settings set. The only
truly unsuccessful attack that I observed and could not successfully do was ARP poisoning attack - it
was always detected and countered, so packets weren’t routed through attacker. Other attacks were
successfully done by changing parameters of attacks. Among those attacks that can be made
undetectable are port scanning, different kinds of Denial of Service attacks (TCP/UDP/ICMP flooding,
IPv6 router advertisement attack, and deAuthentication attack). I haven’t tried any other attacks, nor
any other firewall from the same or different company, but I think ESET should make this personal
firewall better by including more information about attacks and adding more types of attacks that
can be detected.
11. Resources
[1] http://www.eset.com/home/whyeset/awards/
[2] http://www.anonoperations.com/bambam
[3] http://sourceforge.net/projects/loic/
[4] http://nmap.org/book/man-port-scanning-techniques.html
[5] http://linux.die.net/man/8/hping3
[6] http://samsclass.info/ipv6/proj/flood-router6a.htm
[7] http://ashwinsaxena.com/blog/technology/deauth-attack-disconnect-computers/
[8]
http://kb.eset.com/esetkb/index?page=content&id=SOLN2906&viewlocale=en_US&actp=SE
ARCH
