Product: Kaspersky Anti-Hacker Version: 1.0 Website: http://www.kaspersky.com/buyonline.html?info=967571 1. Introduction --------------- Kaspersky Anti-Hacker is a Kaspersky Lab personal firewall product. As other products in this category, Kaspersky Anti-Hacker allows creation of packet and application filtering rules. Among the other things, Kaspersky Anti-Hacker has included a very simple version of Intrusion Detection System. This IDS module is automatically activated upon installation of product. IDS is capable of detecting only 7 attacks, including port scanning and SYN/UDP flooding. Together with the IDS, firewall has also a possibility of active blocking of detected attacks. This option (which is turned on by default) makes DoS attacks on remote users running Kaspersky Anti-Hacker very easy. 2. Exploit ---------- If active blocking is turned on, upon detection of known attack, Kaspersky Anti-Hacker will block *ALL* traffic to source IP address detected in attack. By sending spoofed packets a remote machine running Kaspersky Anti-Hacker attacker can easily deny legitimate traffic to any IP address. Example with hping2: # hping -S -i u1 -s +1025 -p +21 <victims_IP_address> -w 3072 -a \ <spoofed_IP_address> Kaspersky Anti-Hacker will report this attack as SYN flood and will automatically block all traffic to spoofed_IP_address. Same thing can be accomplished with nmap's decoy option: # nmap -sS -P0 -D<spoofed_IP_address> <victims_IP_address> This time Kaspersky Anti-Hacker will detect port scanning attack and automatically block all traffic to spoofed_IP_address. 3. Solution ----------- Disable Assaulter blocking time option. Kaspersky Anti-Hacker will still report possible attacks and user can stop them manually. 4. Vendor --------- Vendor notified, no response received. Best regards, Bojan Zdrnja
