Attack Detection doesn’t work
CFP version: 3.0.13.268 X32
CPU: AMD Athlon XP 3000+ 32-bit
OS: Windows XP Professional SP2
Running security software: Avira AntiVir PersonalEdition Classic 7.06.00.270
Networks used:
Scanning + flooding over LANs: 1) 100 Mbit switched, 2) 1 Gbit switched
Scanning over WAN: Scanner 100 Mbit - Target 10 Mbit bridged, 5 hops, 6-7 ms delay
Initial CFP configuration:
Mode: Custom policy.
Wizard answers: All advanced options selected, except for complete port stealth. Allowed all LAN
traffic for 2nd NIC.
Removed: Global Block Rule and LAN Allow rules created by the wizard.
Added: Various Application rules, including listen ports. Ask rule for All Applications at the end of the list.
Defense+ configuration: Train with Safe Mode
Symptoms/observations:
Port scan blocking or flood detection didn’t trigger.
Corresponding packets were logged throughout the full duration of the scan, at a rate limited to 2 packets per second. For TCP, only SYN flagged packets were logged. Packets with any other flags (FIN/RST/PUSH/ACK/URG/Xmas/Ymas) or null flags were not logged.
All ports allowed by application rules were detected as open and some client-endpoints as closed, the rest stealth. Depending on settings and network used, full-range scans were finished in 20-180 seconds and common ports scans in 5-15 seconds.
After starting a flood test, the target computer’s CPU usage rose to 80-100%. When the gigabit LAN connection was used and if the flood type was one to get logged by CFP, the computer became somewhat slow to respond.
Fix attempts:
Disabled protocol analysis - no effect.
Uninstalled and reinstalled CFP, chose the same answers (advanced) and included Incoming Alerts, adding to the wizard-created configuration only one Trusted Application rule for PuTTY and removing the LAN Allow rules. Detection didn’t trigger when repeating the tests.
Testing software and commands used:
Nmap version 4.11 ( Nmap: the Network Mapper - Free Security Scanner )
Debian package version: 4.11-1
Scan common ports, TCP connect, 20 ms timeouts, min. parallelism 512 probes:
nmap -P0 -sT --min-parallelism 512 --max-rtt-timeout 20 host
TCP SYN: Replace switch “-sT” with “-sS”
All ports: Add switch “-p 1-65535”
5 ms timeouts were used with the tests through LAN.
hping3 version 3.0.0-alpha-2 ($Id: release.h,v 1.4 2004/04/09 23:38:56 antirez Exp $)
http://www.hping.org/
Debian package version: 3.a2.ds1-3
ICMP flood, TCP SYN flood, UDP flood
time hping3 --flood --icmp host
time hping3 --flood -S host
time hping3 --flood --udp host
Floods were run for 1-5 minutes lengths. Different TCP flags and different data sizes also tried (-d size). Rate averages were around 8 000 - 24 000 packets/second depending on connection and data size used.