During our security checks it’s not unusual that auditors, clients and partners discuss vulnerabilities and risks. This discussion, assuming that it is civil and all people involved respect each other, is of great importance. Because during those discussions, the quality of the project itself as well as the overall understanding of the subject of information security will talked about.

Some of our clients are less versed in recognizing the real-life risks of an attack scenario. Sometimes, the technical understanding of the attack mechanism is lacking. Other times, it’s the understanding of the psychology of an attacker.

As an example: When we find reason to believe that a firewall component is used during one our of our network analyses, then we might classify this as a medium finding. Medium means that the vulnerability presents a means for an attacker to gain advantages in preparing an conducting an attack.

There are typical indicators in network traffic that hint at the use of a packet filter:

• Discarded Packets: Using DROP, undesired packets are discarded without infoming the sender about the rule infraction. Usually, systems using no firewall functionality deploy a DENY rule. The packet is dropped and the sender is informed about the infraction. This usually happens with a TCP segment with set RST flag or an ICMP unreachable packet. In nmap, ports are thus labelled as CLOSED and not as FILTERED. If the switch --reason is enabled, the state identified will be explained.
• Incrementing the TTL value: The time to live field in an IPv4 packet is, according to RFC 791, is being decremented by 1 when it’s passed through a routing element. Or when it remains on one for longer than a second. Firewall systems are basically routing elements and have to follow that rule. Using route tracing, inline elements can be recognized as such. This is usually attempted by using UDP or ICMP, but it can be done using the much less popular TCP.

Where is this risk that comes from using this seemingly marginal information? As an attacker, it’s important to know that the target environment is using security component, which mechanisms are deployed and predicting how those mechanisms react. In case a packet filter can be identified, it’s reasonable to assume that certain communication is limited and certain activities are protocolled or that they cause an alert. Therefore, a highly professional attacker is keen on adapting various means, mainly the following:

• Reduce timing in order to avoid restriction and discovery. The data rate should be as high as possible in order to maintain the best possible efficiency, but it also shouldn’t trigger any alarms. An outline of the standard settings of certain firewall products can be found in the article Timing für effiziente unentdeckte Portscans.

• Define choice of ports in order to gain elevated access. Typically, port 53 as target and source port is not filtered because it is used for DNS. Many an installation does not recognize a portscan with the source tcp/53. In other places, access with target port tcp/80 is always permitted.

• Change attack patterns in order to circumvent IDS and IPS solutions. The article HP Tipping Point – Analysis of the Protection Filters discusses the standard setting as found in a popular network based IPS. In the article, there are a number of attack patterns that are typically not recognized. Preferring exotic portscan techniques can be a distinct advantage. As does the use of fragmenting or dedicated options.

The example of the packet filter in this article is just that, an example. Similar effects are observable in other seemingly unimportant analyses.

It’s part of an operator’s responsibility to mask the use of security mechanisms to shield them from detection or to at least make finding them difficult. This robs highly professional attackers of the possibility to adjust to their target environment easily. The chances that the mechanisms go undetected and therefore block intruders get higher. This should be the immediate goal for vulnerabilities that, at first glance, seem to be nothing but a minor risk. Every improvement in an environment is of advantage to its operators.

About the Author

Marc Ruef has been working in information security since the late 1990s. He is well-known for his many publications and books. The last one called The Art of Penetration Testing is discussing security testing in detail. He is a lecturer at several faculties, like ETH, HWZ, HSLU and IKF. (ORCID 0000-0002-1328-6357)

Links

• http://nmap.org/book/man-bypass-firewalls-ids.html
• http://nmap.org/book/man-port-scanning-basics.html
• https://www.computec.ch/download.php?view.110
• https://www.ietf.org/rfc/rfc791.txt