BlackIce 2.9 car Latest with patch DOS attack

Affected : BlackIce 2.9 car Latest with patch
Type : DOS attacks with URG Flag Set ARE NOT LOGGED

[ Brief History . . . . . . . . . . . . . . . . . . . . . .line 40 ]:
:
[ The Problem . . . . . . . . . . . . . . . . . . . . . . .line 60 ]:
:
[ The Solution . . . . . . . . . . . . . . . . . . . . . .line 156 ]:
:
+-------------. :
Brief History :
+---------------`-------------------------------------------------------.
Blackice personal firewall do not log a DOS attack if sent with URG Flag:
Set.
To learn more about Blackice please visit:
http://www.networkice.com/ or http://www.iss.net/


+---------------------------+
- Test OS Applications -
Tested on Windows 2K with SP2 :
Blackice Server 2.9 car
Test was done on 4 boxes
+-----------.
The Problem
+-------------`---------------------------------------------------------.
I never played with Blackice before even I use often. I decide to play
with it a bit last night and here is what I found.

If you send a DOS (Denial Of Service) attack to an Blackice Server
protected box NON of your attack will be LOGGED in blackice.

PLEASE DO NOT MIX this is not an attack on blackice. But if you are
using blackice as your ONLY IDS then you are affected.
This mean you cannot trust Blackice Logs if you was attacked with the
same type of attacks, because your blackice wont LOG these packets.
(Packets sent with URG flag SET).



A packet crafted with URG FLAG SET to 1 and all others FLAG set to 0
will pass undetected by Blackice Server version.

Other type of packets will be detected but the detection results is not
that CORRECT. In the example below I sent a 5 packets with PUSH FLAG set
to 1 and all others to 0 this was detected by BLackice as QUESO Scan.
That is one example for many... Just play with it and you see your self.

Now the bad issue is I was able to flood my local LAN with over 10000000
packets (URG FLAG SET) and non of these packets was captured by BICE.

NOTE: During the attack BlackICE LIGHT WAS GOING NUTS... BUT ZERO attack
in the log or in the GUI.

- PACKET DETECTED AS QUESO SCAN BUT AT LEAST WAS LOGGED -
- Sniff Cpature -

IP Header
Length and version: 0x45
Type of service: 0x00
Total length: 78
Identifier: 11783
Flags: 0x0000
TTL: 64
Protocol: 17 (UDP)
Checksum: 0xc87b
Source IP: 192.168.1.103
Dest IP: 192.168.1.101
UDP Header
Source port: 1031
Dest port: 137
Length: 58
Checksum: 0xb7e3
Raw Data
80 b0 00 00 00 01 00 00 00 00 00 00 20 43 4b 41 ( CKA)
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 (AAAAAAAAAAAAAAAA)
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 (AAAAAAAAAAAAA !)
00 01 ( )

- PACKET DETECTED AS QUESO SCAN BUT AT LEAST WAS LOGGED -
IP Header
Length and version: 0x45
Type of service: 0x00
Total length: 78
Identifier: 11784
Flags: 0x0000
TTL: 64
Protocol: 17 (UDP)
Checksum: 0xc87a
Source IP: 192.168.1.103
Dest IP: 192.168.1.101
UDP Header
Source port: 1031
Dest port: 137
Length: 58
Checksum: 0xb7e3
Raw Data
80 b0 00 00 00 01 00 00 00 00 00 00 20 43 4b 41 ( CKA)
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 (AAAAAAAAAAAAAAAA)
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 (AAAAAAAAAAAAA !)
00 01 ( )


- PACKET NOT DETECTED AT ALL BY BLACKICE -
==============================================
IP Header
Length and version: 0x45
Type of service: 0x00
Total length: 72
Identifier: 18539
Flags: 0x0000
TTL: 128
Protocol: 6 (TCP)
Checksum: 0x6e28
Source IP: 192.168.1.101
Dest IP: 192.168.1.103
TCP Header
Source port: 1
Dest port: 1
Sequence: 3158779
ack: 0
Header length: 0x50
Flags: 0x20 (URG )
Window Size: 512
Checksum: 0x27cb
Urgent Pointer: 0
Raw Data
78 39 30 78 65 62 78 30 33 78 35 64 78 65 62 78 (x90xebx03x5dxebx)
30 35 78 65 38 78 66 38 78 66 66 78 66 66 78 00 (05xe8xf8xffxffx )

- PACKET NOT DETECTED AT ALL BY BLACKICE -

IP Header
Length and version: 0x45
Type of service: 0x00
Total length: 40
Identifier: 11785
Flags: 0x0000
TTL: 64
Protocol: 6 (TCP)
Checksum: 0xc8aa
Source IP: 192.168.1.103
Dest IP: 192.168.1.101
TCP Header
Source port: 1
Dest port: 1
Sequence: 0
ack: 3158811
Header length: 0x50
Flags: 0x14 (ACK RST )
Window Size: 0
Checksum: 0xf866
Urgent Pointer: 0
Raw Data
()


- BLACKICE LOG -


13:00:50 27 BlackICE detection stopped 0.0.0.0 0.0.0
13:01:56 26 BlackICE detection started 0.0.0.0 0.0.0
13:05:07 2000321 Queso Scan 192.168.1.101 192.168.1.103
13:10:07 2000321 Queso Scan 192.168.1.101 192.168.1.103

- NOT DETECTED ATTACK WITH URG SET IS SUPPOSED TO BE HERE -
- NOT DETECTED ATTACK WITH URG SET IS SUPPOSED TO BE HERE -


- TCP Settings that may help you understanding what I sent -

[TCP]
fURG=1
fACK=0
fPUSH=0
fRESET=0
fSYN=0
fFIN=0
Acknowledge=0
Sequence=0
Window=0
Offset=0
Urgent=0
Checksum=0
SpecifyTCPChecksum=0
Data=x90xebx03x5dxebx05xe8xf8xffxffx

[UDP]
Checksum=0
SpecifyUDPChecksum=0
Data=

[ICMP]
Type=0
Code=0
Checksum=0
SpecifyICMPChecksum=0
Data=
Identifier=0
Sequence=0
Message=0

[IP]
SourceAddress=
SourcePort=1
DestinationAddress=
DestinationPort=1
HeaderSize=20
SpecifyHeaderSize=0
Identification=0
SpecifyIdentification=0
Checksum=0
SpecifyChecksum=0
TypeService=0
FragmentationType=2
DataSize=0
Offset=0
TTL=1

+------------.
The Solution
+--------------`---------------------------------------------------------.
No idea. Vendor should be informed... Blackice now I guess is owned by
ISS.Net.
+------------------------------------------------------------------------.