AppleMcAfee SecurityCenter Evaluation under DDoS Attack Traffic

McAfee SecurityCenter Evaluation under

DDoS Attack Traffic

Siris ha Surisetty,Sanjeev Kumar

Network Security Research Lab,Department ofElectrical/Computer Engineering,

The University ofTexas-Pan American,Edinburg,USA

E-mail: sjk@utpa edu

Received February 13,201 1;revisedApril 18,2011;accepted May 12,201 1

Abstract

During the Distributed Denial of Service(DDoS)attacks,computers are made to attack other computers.Newer Firewalls now days are providing prevention against such attack traffics.McAfee SecurityCenter Firewall is one of the most popular security software installed on millions of Internet connected computers worldwide. “McAfee claims that if you have installed McAfee SecurityCentre with anti-virus and antispy-ware and Firewall then you always have the most current security to combat the ever-evolving threats on the Internet for the duration of the subscription”. In this paper,we present our findings regarding the effective-ness of McAfee SecurityCentre software against some of the popular Distributed Denial Of Service(DDoS)attacks,namely ARP Flood,Ping-flood, ICMP Land,TCP-SYN Flood and UDP Flood attacks on the com-puter which has McAfee SecurityCentre installed.The McAfee SecurityCentre software has an in built fire-wall which can be activated to control and filter the Inbound/Outbound traffic. It can also block the Ping Requests in order to stop or subside the Ping based DDoS Attacks.To test the McAfee Security Centre soft-ware,we created the corresponding attack traffic in a controlled lab environment. It was found that the McAfee Firewall software itself was incurring DoS(Denial of Service)by completely exhausting the avail-able memory resources of the host computer during its operation to stop the external DDoS Attacks.

Keywords:Distributed Denial of Service(DDoS)Attack,McAfee Firewall,NonPaged Pool Allocs,ARP

Flood,Ping-Flood, ICMP Land,TCP-SYN Flood,UDP Flood Attack

1.Introduction SecurityCentersoftware firewall in defendingthe system against the Denial of Service attacks namely ARP Flood,Firewall is one of the most popular security software Ping Flood, ICMP LAND,TCP-SYN Flood and UDP installed on millions of Internet connected computers Flood attacks.We considered one attacks per layer, i e,worldwide.Today’s PCs need the protection provided by from Layer-2 to Layer-4 in the TCP/IP suite.a firewall to ensure the safety of both personal data, in- “McAfee claims that it’s security products use the bound and outbound traffic.Having a firewall, benefits award-winning technology and if you have installed the user and the PC by shielding them fromthe attacks of McAfee SecurityCentre with anti-virus and anti-spyware malicious users, would be the general thinking of a and Firewall then you always have the most current se-common PC user.Are these Personal Firewalls,which are curity to combat the ever-evolving threats on the Internet provided by the most popular Antivirus companies to forthe duration ofthe subscription”[1]. There are dif-protect your system, safe?This is the question that we are ferent types of Distributed Denial of Service (DDoS)trying to answer in this paperby evaluating the effec- attacks and they exhaust resources of a victim computer tiveness ofthese personal firewalls.We know that the differently such as processor,memory or bandwidth re-Firewall plays a vital role in defending against DDoS sources.The famous websites like e-Bay, e-Trade,Ya-attacks.Sometimes they will cause some overhead while hoo,Twitter and Facebook were also the victims ofthese they are defending against the DDoS attacks. In this paper DDoS attacks [2,3]. Recently,efforts have been made to we will study the overhead, if any,caused by the McAfee increasingly deploy security systems such as Firewalls Copyright©2011 SciRes JIS

114 S SURISETTY ET AL

.

down a host in internet that can be a web server orInter- a DELL Inspiron 530 Desktop Computer with McAfee net root servers itself[7]’.To evaluate the performance of SecurityCenter.

McAfee SecurityCenter s Personal Firewall against such The parameters of performance evaluation considered DDoS attacks, we experimented with so called and forthis experiment were the Processorutilization and the commercially promoted, secure computer system,namely NonPaged PoolAllocations in the main memory.Non-Apple’s iMac with Windows XP-SP2 operating system. Paged Pool allocs are those pages that can never be We also compared the performance of McAfee Securi- paged out ofthe systemas these are Kernel functions and tyCenter when the iMac platform is deploying Windows device drivers that in particular require real memory and XP-SP2 with that ofa DELL Inspiron 530 desktop built should be present always forexecution ofaprocess [8,9].with Vista Business and McAfee SecurityCentre with During the experiment, the needed performance metric Personal Firewall and 2 GB of RAM.We consider at- values were logged by the system under attack for analy-tacks at Layer-2, Layer-3 and Layer-4 in the TCP/IP sis purposes by using some of the system activity com-suite in this paper.The rest ofthe paper is organized as mands.The logs were the performance counters avail-

2

ing here at the University of Texas-Pan American, by i e., from lower layer(layer-2) (ARP Attack)to higher making multiple computers send a barrage of corre- layers (layer-4) (UDP Flood) in the TCP/IP suite.sponding attacktraffic to the Victim computer up to a maximumspeed of 1000Mbps/1 Gbps.We stressed out 3.1.ARP Flood Attack the McAfee personal firewall installed on an Apple iMac with Windows XP-SP2 operating system at the same Address Resolution Protocol (ARP) is used in Local transmission rate but changing the load at every step Area networks to resolve IP addresses into hardware starting from 10 Mbps to 100Mbps in steps of 10Mbps MACaddresses. It is a very basic and essential protocol Copyright©2011 SciRes JIS

S SURISETTY ET AL 115used to communicate in LAN either by gateway or by 3.2.Ping Flood Attack any host.The ARP request message consists ofthe IP address ofthe host, IP and hardware MAC address ofthe Ping is a type ofICMP message that is used to knowthe initiator who wish to communicate and broadcasts that reachability of a host. Based on RFC 0792[11], ICMP within the LAN.Allthe hosts in the LAN receives the Echo request must be replied with an ICMP Echo Reply ARP request but only the host who has that IP will re- message.Attackers take advantage of this protocol and spond and unicast the initiator its hardware MAC(Me- try to flood the end host with Ping Requests and the host dium Access Control)address.Also the ARP cache table ultimately replies to those requests and hence consumes ofreceiver host will be updated with the corresponding the computerresources.With a flood of such requests,IP-MAC addresses for further communication with the resource starvation usually happens on the host computer.initiator [10].Attackers take advantage ofthis protocol The attacker,generally, spoofs the source IP and sends a and try to flood the end host with ARP Requests and the barrage of Ping requests to the victim computer.The host ultimately ends up in replying to those requests and victim computer incurs Denial of Service while being updating its cache table and gets busy with this task. consumed in replying to all the requests it receives.This With a flood of such requests,resource starvation usually Ping Flood Attackis a Layer-3 attack in the TCP/IP suite.happens on the host computer.Those resources can be One of the earlier work shows that a simple Ping attack either processor consumption or memory.One general can make the target host busy in processing the ping re-way of DDoS is to stormthe host with a barrage ofARP quests consuming 100%ofthe CPUutilization[12].requests thereby incurring a DDoS attack on the host while being consumed in replying to all the requests it Ping Flood Attack on McAfee SecurityCenter receives and exhausts the system resources.ARP-based Ping Flooding traffic is sent to the iMac deploying flooding attack is a Layer-2 attack. Windows XP-SP2 with McAfee SecurityCenter.When the attack was started the simply froze after a while giv-ARP FloodAttack on McAfee SecurityCenter ing a BSoD(Blue Screen of Death).When restarted the In this case the ARP flood was sent to iMac with Win- systemdisplayed the message on the screen as shown in dows XP-SP2 operating system,with windows Firewall Figures 3 and 4.Afterrestarting the systemagain 1Gbps OFF and McAfee Personal Firewall ON. The processor oftraffic is sent to it and again the systembehaved in the utilization due to this ARP-based flooding attack is same mannergiving the BSoD.Figures 5 and 6 showthe shown below in Figure 2. The upper line shows the PoolNonPaged bytes and Allocs forthis time.The proc-maximum processor utilization, the middle line shows essorutilization was just 50%on an average.The default the average procesorutilization and the bottomline shows mode of McAfee firewall is to block the incoming ping the minimum processorutilization of Windows XP with requests as shown in Figure 7 above.We have not opted McAfee SecurityCenter forARP-based flooding attack for“Allow ICMPng requests”, so we pssume thpt the traffic. It can be observed that the average processor ICMP ping requests are not allowed and hence system utilization was just 50%even for maximum attack load willbe safe.But just after start ofthe attack, the system of 1Gbps. In this case we can say that the system with froze showing the BSoD and then it can be observed from McAfee Firewall was able to sustain tha attack. the Figures 5 and 6 that it has just taken 8 seconds forthe

firewall under ARP attack. Figure 3.System error message after restarting from BS oD.Coyrght©2011 ScRes JIS

116 S SURISETTY ET AL

Figure 4.System error message after restarting from BSoD.

lowing incoming ICMP Echo Requests.r|}varv| {oll|{v|d vu|“dmp fsl|}”and analq|d vu|m Case II:McAfee Firewall was activated and was forthe possible reasons.The main reason forthis BSoD blocking Incoming ICMP Echo Requests.

a} }om|modl| nam|d“mf|usdk.}q}” vuava} {or- The results in each case are detailed below:Copqrstuv w xy z z S{sR|} JIS

S SURISETTY ET AL 117

Figure 7.Default settingin McAfee firewall showing the options to allow/disallow ping and UDP traffic.

.

Generally the results similar to case I were anticipated.

But the system became non-responsive after 2.5 minutes restarted and the load ofthe attacktraffic was reduced.of launching the attack with 100 Mbps ofPing attack To understand the systembehavior the attack traffic was traffic in the Fast Ethernet medium.System had to be reduced to 1 Mbps. It was found that even with 1 Mbps Copyrighk©2011 SmiRlj JIS

118 S SURISETTY ET AL

34%where the entire RAM was consumed that resulted

quest packet is spoofe’d with destination IP host/port ad- Figure 13.CPU and memory utilization just before the dress same as source s.When a barrage of such Land systemhang up.

Copyright©2011 SciRes JIS

S SURISETTY ET AL 119

utilization recorded for ICMP Land attacks was nearly

70%at 1 Gbps and the attack ran smoothly and the ated to measure their effectiveness in mitigating the DoS systemwas working normally without giving any of the [20-22]attacks.effects described in case ofping attack.

TCP-S YN Attack on McAfee SecurityCenter

3.4.TCP-SYN FloodAttack TCP-SYN flood is Layer-4Denial of Service attack.

TCP-SYN attack traffic is sent to the iMac deploying TCP flood attack is Layer-3 attacks,which is most WindowsXP-SP2 with McAfee Firewall at default set-popular denial of Service attackthat exhausts the system tings and there is no option to avoid the TCP-SYN attack.resources and brings many serious threats to the entire Afterwe started the TCP-SYN attack, the system froze network. The host retains many half open connections giving us the BSoD again, as in the case ofPing attack.and there by exhausts its memory and processorutiliza- The processor utilization was just 50%for 1 Gbps of tion.The Transmission Control Protocol (TCP) that is traffic and the Pool NonPaged Allocs and Bytes were built on IP has a three-way handshake process for any plotted as shown in the Figures 15 and 16.These are connection establishment.When a client initiates the very much similar to the case where Ping attack was TCP connection, it send a SYN packet to the server and done and the reason was the same.McAfee Firewall is then the serverresponds with an SYN-ACKpacket and creating NonPaged allocations that are growing un-stores the request information in memory stack.After boundedly in the main memory and cannot be paged out.receiving the SYN-ACKpacket the client should confirm The operating systemcannot allocate more than the as-the request by sending an ACK packet.When the server signed memory so it is causing in system freeze and re-receives the ACK packet it checks in the memory stack sulting in BSoD. It can be observed that it took8 seconds to see whether this packet corresponds to previously re- forthe systemto freeze from the Figures 15 and 16.ceived SYN. If it is, then the connection is established between the client and the server and data transfer can be 3.5.UDP Flood Attack started.This is the Three-way handshake method used to establish a connection using TCP protocol. In TCP-SYN DDoS attackusing the UDP packets is called UDP Flood Flood attack, the attacker sends a barrage of SYN pack- attack.UDP Flood attack is a Layer-4 attack.Specialists ets with spoofed IP address to the server and the server have discovered the UDP Flood vulnerabilities during stores that information in the memory stack, sends the the year 1998-2000 in many systems including Microsoft SYN-ACK and waits for the final ACK from the attacker. products. In UDP Flood attack a barrage of UDP packets But the attacker willnot send the ACK so such connec- are sent to the victim computer either on specified ports tions willbe left in the memory stack.This process con- or on random ports.The victim computerprocesses the sumes considerable memory as well as processorutiliza- incoming data to determine which application it has re-tion of the server. If large amounts of SYN attackpack- quested on that port and in case of absence ofrequested ets were sent then a Denial of Service attack can be application on that port, the victim sends a “ICMP Des-launched on the victim. There are many methods sug- tination Unreachable“message to the sender,which is gested to fight against this TCP-SYN attack [17-19]. generally a spoofed IP. If such a barrage ofrequests were Service packs and some firewalls have also been evalu- sent then it results in Denial of Service on the victim Copyright©2011 SciRes JIS

120 S SURISETTY ET AL

Figure 15.NonPaged Pool Allocs for 1 Gbps of TCP-SYN Unexpected driver code path.

Flood when McAfee Firewall was in default mode.  Intermediate returns from functions that allocated the

ating a lot of NonPaged allocs and trying to occupy the

Copyright©23114ci7es JIS

S SURISETTY ET AL 121sh-twitter-hobble-facebook [15] Possible LAND Attack Vulnerability Affects Windows

[zy] D C Plmm|r,“Evu|rn|v Addr|}}R|}olvson Provo{ol,” Morne,23-29 April 2006,p 38

http://tools ietf org/html/rfc0792 [x z] F La-[zx] S Kmar,“PING Avva{k—HoBad I} Iv?”Computers& vrsbv|d D|nsal of S|rs{|Avva{k},” IEEE International

Security Journal,Vol 25,No 5,July 2006,pp 332-337 Conference on Systems,Man,and Cybernetics,Nashville,

[13] Information about M fehidkhttp://www file net/process/mfehidk sys html [xx] S Srs}|vvq and S Kmar, “I}M{Af|| S|{rsvqC|n-

Copqrstuv w xy z z S{sR|} JIS