Bugtraq mailing list archives
Re: blackice ignoring port 113
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Sat, 22 Jul 2000 18:11:02 -0700
BlackICE Defender ships with the following defaults. All these defaults can be changed by the user. These settings were chosen because we believe they provide an adequate compromise between acceptable security and ease-of-use for the less knowledgeable user. I stress words like "compromise" and "acceptable" because high-security is not acceptable to most consumers. The product is highly configurable for the expert user; though we probably need to document things better. Allow port 113 (TCP) A lot of ISPs do reverse-identd lookups that cause e-mail sesssions to timeout if they don't get back a response (RST or SYN-ACK). Also, a lot of consumer packages install identd listeners, and sometimes they need to be enabled in order to allow access to their servers. Remember that BlackICE is a network-IDS: it does check for identd exploits even if they are allowed through the firewall component by default. If you want to change this, edit "firewall.ini" config file. Allow ports above 1024 This is the default configuration as shipped. Not wonderful. It stops most of the common mistakes users make, but lets most apps run correctly. BlackICE does have numerous stateful-packet filters (e.g. non-PASV FTP clients always work), but we don't have enough to default to firewalling on all ports as shipped. The user can change this with a click of the mouse, as well as editing "firewall.ini". Logging of events We store all events to a file "attack-list.csv", but we only "display" the most recent 50k worth of events. Beyond that, you probably want to use 3rd party utilities like ClearICE or Excel. Displaying port scan data We are criticized from both sides of not showing enough data and showing too much. Sigh. Anyway, list of ports scanned on the machine is stored in "attack-list.csv" as an extra column in the file. You can display this extra column. Right-mouse-click on the column titles in order to edit what info is displayed. Sniffing By default, it saves just those packets that trigger alerts. In rare conditions, you own logon failures to your own ISP might trigger an alert, causing that data to be saved to a file. BlackICE has the really cool feature of being able to save a record of all network traffic passing through the system. If you are truly paranoid (like me), you should save all traffic. DNS and NetBIOS lookups I really want to disable them, but they have proven useful so many times I believe the benefits outweigh the risks. A huge number of users have successfully caught friends/families/enemies this way. Remember these people who get the most value from the product are not very knowledgeable. What is BlackICE Defender? BlackICE Defender is a simplified version of our full network-IDS. It scans network traffic (non-promiscuous) looking for signs of intrusion. A list of most intrusions it detects is at: http://advice.networkice.com/advice/intrusions It also contains a small personal firewall, hence the "defender" moniker. Robert Graham CTO/Network ICE -----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () securityfocus com]On Behalf Of vali Sent: Saturday, July 22, 2000 9:27 AM To: BUGTRAQ () securityfocus com Subject: blackice ignoring port 113 It's as simple as that, blackice (a somehow popular windows firewall) is ignoring TCP trafic with destination port 113 (even with "paranoid" seting). The most simple way to try this is nmap -sS -p 113 -P0 victim (victim's blackice is silent) nmap -sS -p any_other_port -P0 victim (blackice says "tcp port probe"). Tried with blackice 2.1.x (blackice.exe & vxd = 2.1.25, blackicd and blackdll.dll = 2.1.22) on both win95 OSR 2 ans win98 SE. This is not much, but is a simple way to flood a computer without blackice reacting in any way. Also, if somebody is using a buggy ident server this is fatal (irc clients install sometimes ident servers, without users knowledge). Other comments regarding BlackIce: Blackice is doing a good job in stoping malformed packets "bad" for Microsoft IP stacks (including IGMP, fragmented ICMP aka teardrop, etc, etc). Can detect nmap stealth scan but there is no simple way to tell from the interface the port scaned (if the port is not a "standard" port). Anyway, it has extensive logging capabilities. In fact with "logging" and "evidence logging" enabled sniffed sessions can linger in Blackice folder, alongside with sensitive information like passwords. Blackice can do (automatic) DNS reverse lookup and a Netbios scan for the atackers (wich can be a *very* bad thing). I think this feature is enabled by default. Blackice seems to have some limits for the number of packets loged and for the alerts displayed. This is a good thing and a bad thing. This limit the memory used but some packets can go unnoticed (and if someone send a lot of spoofed packets the real atack will go unnoticed).
Current thread:
- blackice ignoring port 113 vali (Jul 22)
- Re: blackice ignoring port 113 Robert Graham (Jul 22)