Little Snitch Leaks IP

Struxxffs · May 31, 2024

Hello,

I was not sure if this should go in the network section or the Macintosh section, since it does have to do with networking.

According to a article little snitch denied connections leaks your ip address when a TCP connection is attempted.

“Every TCP packet, including any packet involved in the handshake, contains the IP addresses of the sender and the receiver. Thus, before Little Snitch can perform deep packet inspection, the IP address of your Mac may have already been sent to the remote server!”

Little Snitch "denied" connections leak your IP address

lapcatsoftware.com

Objective Development (the creators of little snitch) describes the reason for why this happens.

“First of all, it‘s not Little Snitch which is in charge to decide whether these packets leave the computer, it‘s Apple‘s NetworkExtension framework.

Since we are no longer allowed to ship a kernel extension, we are required to code against this new programming interface.

So the question transforms into: “Why does the Network Extension framework allow these data packets?”

"This was a design decision made by Apple.

The Network Extension framework puts the filter code outside of the operating system kernel.

When a connection should be established, the data must be passed from the kernel to an Apple user space process and from this user space process to the respective Network Extension.

The Network Extension makes a decision based on rules, sends back the result via to the original user space process which in turn sends it down to the kernel. A long path, isn‘t it?”

Three-way handshake bypassing Little Snitch

There has been some discussion recently about the bypassing of Little Snitch by the first datagram of a three-way TCP handshake. The facts: When a deny-rule for a domain is set in Little Snitch, and a TCP connection is made to that domain, a TCP SYN…

obdev.at

My question: Is using little snitch going to add any additional risks compared to not using it?

Paladin · May 31, 2024

Risks of what?

Struxxffs · May 31, 2024

Paladin said:
Risks of what?

So, my first understanding was that using little snitch provides better security as it gives you control of outbound traffic. Macos built in firewall only denies inbound traffic.

How ever, since there seems to a ip address leak issue, I am wondering if it posses any risks in any form, where it would just be better to avoid using little snitch.

I'm not sure if this classifies as a vulnerability.

Lord Evermore · May 31, 2024

It doesn't seem like it would be adding any risk compared to NOT using it at all. You are still limiting what data goes out without approval by the user. Little Snitch stops the process entirely at the initial SYN packet if you don't want to allow the connection, so little data other than "a device with this IP address tried to connect on port X" is ever received by the remote server. (TCP Fast Open does allow some actual data in the SYN packet, but this requires that there have been previous communication with that server. And it's not widely used it seems.)

I question the whole "it would be hard for Apple to prevent the first packet" bit, though, but clearly if the application can't sit at the lowest network level and require all packets to be processed, or if many applications or the OS crash if the SYN packet gets intercepted and delayed, then it can't block the SYN packet. But external firewalls do that all the time without crashing everyone's computers.

They also go deep into describing a TCP SYN flood attack on servers which seems entirely irrelevant to the subject of the handshake bypass. Little Snitch is just an outbound firewall, as best I can tell, which has nothing to do with incoming SYN floods. (At best, it might have been able to stop YOUR computer from sending a SYN flood, if it wasn't bypassed and can't actually stop the SYN packets.)

Struxxffs · May 31, 2024

Lord Evermore said:
It doesn't seem like it would be adding any risk compared to NOT using it at all. You are still limiting what data goes out without approval by the user. Little Snitch stops the process entirely at the initial SYN packet if you don't want to allow the connection, so little data other than "a device with this IP address tried to connect on port X" is ever received by the remote server. (TCP Fast Open does allow some actual data in the SYN packet, but this requires that there have been previous communication with that server. And it's not widely used it seems.)

I question the whole "it would be hard for Apple to prevent the first packet" bit, though, but clearly if the application can't sit at the lowest network level and require all packets to be processed, or if many applications or the OS crash if the SYN packet gets intercepted and delayed, then it can't block the SYN packet. But external firewalls do that all the time without crashing everyone's computers.

They also go deep into describing a TCP SYN flood attack on servers which seems entirely irrelevant to the subject of the handshake bypass. Little Snitch is just an outbound firewall, as best I can tell, which has nothing to do with incoming SYN floods. (At best, it might have been able to stop YOUR computer from sending a SYN flood, if it wasn't bypassed and can't actually stop the SYN packets.)

Thank you.

Is this the type of attack you are talking about?

Bypassing Little Snitch Firewall with Empty TCP Packets - Rhino Security Labs

Little Snitch is a host-based firewall for macOS, used for monitoring and restricting egress network traffic.

rhinosecuritylabs.com

Would installing little snitch improve my security or would it not be worth it?

DrWebster · May 31, 2024

Lord Evermore said:
I question the whole "it would be hard for Apple to prevent the first packet" bit, though, but clearly if the application can't sit at the lowest network level and require all packets to be processed, or if many applications or the OS crash if the SYN packet gets intercepted and delayed, then it can't block the SYN packet. But external firewalls do that all the time without crashing everyone's computers.

A lot of enterprise NGFWs also "leak" a packet or two in order to differentiate different kinds of applications that use the same protocol. The first packet or two may look generic and require a session to be established before more defining characteristics of the traffic appear so it can be identified. It's what lets you block Dropbox without affecting Google Drive, for example, even though both use TLS.

Paladin · May 31, 2024

So yeah, I think what you want is a real firewall with IPS features, geolocation based controls, reputation based blocking, etc.

An application on the computer will always be subject to the operating system's rules for what is allowed or not allowed before the application gets to make any choices.

That said, a lot of hardware/external firewalls do basically the same thing. They allow a certain amount of connection setup or initial traffic so they can analyze the connection without blocking it first or delaying it needlessly. The firewall has to 'ingest' a certain amount of data before it can even make a decision unless you want a very basic function based in pure IP block/allow lists which isn't as feature rich as most people would want. For example, you might end up blocking an IP address at AWS, Cloudflare, or Akamai, that has been reported for some kind of bad behavior but it actually hosts or proxies for thousands of legit websites. Most users would never have the experience or sophistication to troubleshoot such an issue so the application would either be overridden or uninstalled at the first sign of it blocking what the user actually wants/needs to do.

Every practical implementation of these kinds of things has to balance real world use and user needs (along with technical restrictions and capabilities in the actual installed use case) against 'theoretical' security enhancements and the concept of privacy.

Once you actually do anything on the internet, privacy is essentially gone unless you go to very extreme lengths to anonimize yourself, far beyond what the average or even 'enthusiast' user will pay for or want to use.

So we come back to 'what risk'? What are you hoping this kind of software will provide that basic safe computing habits does not? Or what risk does it mitigate beyond what a more basic firewall (basic home router and the firewall on the operating system) can provide?

I know it can satisfy curiosity but beyond that, as the article mentioned, Apple OS products talk to Apple all the time, and users need to be able to connect to unknown destinations on the internet all the time. Is the conceptual risk simply a question of moving the privacy slider more to one side than the other? Is the risk simply that your usage information might be used to market to you more effectively?

If so, privacy proxy services, adblocking and privacy browser addons and other privacy oriented options might be more effective than the imaginary security blanket of a peice of software that just nags you all the time, "Should I allow this connection?" And the user replies inevitably, "I guess so?"

The one use case that does make some sense is the operating system telemetry and application telemetry that phones home and reports data for user activities. I get why that feels creepy to people and I think it is a good idea to turn off those features in applications and at the OS level when possible. Using a firewall to try to block them is a very shaky idea and probably will never be totally effective.

Ultimately, what are the initial TCP connections going to provide to someone collecting that data? Imagine a service provider (Facebook for example): Today we collected data on 500 million active users. We also saw SYN connections and aborted TCP sessions from another 100 million IP addresses, many of which overlap with the active user sessions. For some IPs, thousands of active user sessions come from the same few IPs due to NAT etc.

What does Facebook do with the SYN connections or other aborted TCP sessions and all the other junk connections to their servers? Spend resources to try to track down who those IPs are used by? Or ignore them along with the other gigabytes of junk traffic they get and discard every day?

Ultimately, if you don't want facebook to know about you, don't sign up or use a facebook account. They might have cookies and other session info from various partner sites etc. but they will still have a hard time narrowing the profile down to 'you' and even if they do, so what? They can try to associate your access to some other sites and correlate it all to some unnamed user who like to go to google.com, nike.com, apple.com, netflix.com, etc. and... what? Their bundled information might be sold in a package to advertisers who want to advertise to people who do what you tend to do on the internet and eventually you see a Nike ad for their more upmarket shoes because you also appear to like Apple. That's about it. Otherwise you might have been shown an ad for the cheap Nikes, or maybe an ad for cheap Chinese USB cables or something.

Struxxffs · May 31, 2024

@Paladin

The reason for the firewall was less privacy but more security.

If the even that somehow something malicious got on my system, that the outbound firewall would detect this behavior and stop it from connecting to a remote server.

Having a firewall that only does inbound protection feels like its a lot less.. protective or featureless compared to firewalls on say Windows for example.

I might be wrong though in assuming that the outbound firewall would prevent this.

When it comes to the risk, if the ip address was revealed, then someone could possibly take advantage of the tcp issue.

How ever it seems that the answer to that part was already written in the blog and I over looked it.

There are three kinds of attackers:

Those who try to attack a large amount of computers in order to establish a botnet or install ransomware. They don‘t care about an individual computer, they just want to infect as many computers as possible.

User tracking and analytics. These attackers usually define themselves as legitimate service providers, but the majority of people view them as privacy invaders or attackers.

Targeted attacks, such as trojans introduced by law enforcement agencies, competitors, foreign secret services and similar.

Considering the different types of attackers, it is unlikely that exploiting the TCP SYN packet will be widely used for large-scale attacks targeting multiple computers.

Attackers who encounter Little Snitch installed on a system are likely to move on to more vulnerable targets.

Still curious if It would effective at blocking and detecting outbound traffic if a accidental malicious file was downloaded.

Please let me know your thoughts on if little snitch would be worth the investment.

Paladin · May 31, 2024

If the firewall is running on the infected machine, you can assume that the fact that it is infected means the software firewall will be immediately defeated.

If somehow the firewall escapes the infection simply disabling or uninstalling it (if you have a malware infection then it can be assumed that it gained at least some level of system permissions), the question of whether it blocks 100% of outbound traffic or only 99.999% is kind of pointless. Either way, it would block enough to be effective at preventing the malware from doing anything useful. But again, it would be highly likely that the malware would simply disable or uninstall any firewall software.

An external firewall is, again, much more capable of doing something useful in this scenario. Of course, you should not get infected by malware in the first place if you keep your machine updated, run a decent antimalware software and don't execute unrecognized programs or use an administrator/root level user for daily tasks.

Struxxffs · May 31, 2024

Paladin said:
If the firewall is running on the infected machine, you can assume that the fact that it is infected means the software firewall will be immediately defeated.

If somehow the firewall escapes the infection simply disabling or uninstalling it (if you have a malware infection then it can be assumed that it gained at least some level of system permissions), the question of whether it blocks 100% of outbound traffic or only 99.999% is kind of pointless. Either way, it would block enough to be effective at preventing the malware from doing anything useful. But again, it would be highly likely that the malware would simply disable or uninstall any firewall software.

An external firewall is, again, much more capable of doing something useful in this scenario. Of course, you should not get infected by malware in the first place if you keep your machine updated, run a decent antimalware software and don't execute unrecognized programs or use an administrator/root level user for daily tasks.

If I understand you correctly the program can help prevent something malware related connecting to a server, but it can not be guaranteed and there other better options or ways out there that would be more recommended than paying for this software?

Lord Evermore · May 31, 2024

Area51Freak said:
Is this the type of attack you are talking about?

Bypassing Little Snitch Firewall with Empty TCP Packets - Rhino Security Labs

Little Snitch is a host-based firewall for macOS, used for monitoring and restricting egress network traffic.

rhinosecuritylabs.com

That "bypass" is not a TCP SYN flood attack. That one makes a connection on a port and sends a single packet with a few bytes of data, then makes a connection on a different port and sends a few more bytes, until the total amount of desired information has been passed. Little Snitch apparently just doesn't pop an alert with this behavior. This isn't a vulnerability in Little Snitch precisely, it's just a behavior that they don't make the program alert on, probably because there's no obvious way to identify it as malicious and there is no continuous flow of traffic with a single connection like a normal program would do.

A TCP SYN flood involves your computer making hundreds, thousands, millions of SYN packets sent to a destination server which you are attacking. A botnet can be used to make thousands of computers all try to connect to that server at the same time, flooding it with SYN packets that it has to process then send back the SYN/ACK packet to the originating computers. Those computers never send the final ACK packet, so the server is left waiting for it until the timeout is reached, preventing it from processing normal traffic. This is not an attack on YOUR machine, not incoming connections to your machine, and due to the way Little Snitch works, it can't stop all those TCP SYN packets from being sent, so if your computer has been compromised it could still be used as part of a SYN flood attack and Little Snitch can't stop it. (If someone tried to attack your PC with a SYN flood, your own network firewall/router should simply drop all those SYN packets because it's not supposed to allow incoming connections unless you have configured port forwarding. If your PC is directly connected to the Internet, the built-in firewall ought to do the same thing but it takes up your system resources to process the packets. Most Internet servers are behind some sort of firewall as well, but since the server DOES expect incoming connections, the firewall has to actually use some intelligence to identify whether they are valid SYN packets or a SYN flood.)

In the end, Little Snitch provides some additional protection from your computer being used for bad things if compromised (depending on the type of things being attempted), and some privacy protection for you by stopping things sending data you don't want sent, but nothing is 100% effective at those tasks. Using Little Snitch is not going to make you LESS secure. You'd still want to use things like ad blockers and web browser privacy settings to prevent data being sent, and Little Snitch helps to protect from those apps that you can't control directly.

Lord Evermore · May 31, 2024

Area51Freak said:
If I understand you correctly the program can help prevent something malware related connecting to a server, but it can not be guaranteed and there other better options or ways out there that would be more recommended than paying for this software?

I wouldn't say it's useless. It has its uses, depending on the concerns you have. An external firewall as @Paladin suggested is likely to cost you money as well, possibly quite a lot, either buying a pre-built piece of hardware or buying things like a Raspberry Pi and spending time learning and setting it up for yourself (or a low-end/used PC to run with firewall software in the same way). Some expensive consumer routers have firewall features even for outbound traffic, but most are not really well-designed and featureful in that aspect I think. But there are decent firewalls that just aren't well-known in the consumer space that aren't horribly expensive, a couple of or a few hundred dollars depending on what hardware features you need. And an external firewall covers your entire network, all devices, not just your one computer where you have Little Snitch installed. (But, it might not be as convenient for granular control, since you can't get a pop-up permission request for each application that tries to make a connection.)

On the software side, normal anti-malware stuff is a good idea at all times, no matter what your firewall, as well as using privacy settings in applications, ad blockers, etc., and not fucking around with downloads and websites that are risky, and that takes care of every reasonable aspect unless you're paranoid/strict about privacy. I personally wouldn't see any need for Little Snitch, I think, and I don't use any specialized firewall. I just make sure I'm fairly certain about the security of my computer and other devices, with anti-virus protection and not downloading things I'm not reasonably sure are safe, and I just accept some trade-off in privacy for less cost and effort having to continuously manage every single connection to try to avoid data gathering by Big Tech, because it's virtually impossible to get away from that sort of thing these days while still being online.

Struxxffs · May 31, 2024

Lord Evermore said:
That "bypass" is not a TCP SYN flood attack. That one makes a connection on a port and sends a single packet with a few bytes of data, then makes a connection on a different port and sends a few more bytes, until the total amount of desired information has been passed. Little Snitch apparently just doesn't pop an alert with this behavior. This isn't a vulnerability in Little Snitch precisely, it's just a behavior that they don't make the program alert on, probably because there's no obvious way to identify it as malicious and there is no continuous flow of traffic with a single connection like a normal program would do.

A TCP SYN flood involves your computer making hundreds, thousands, millions of SYN packets sent to a destination server which you are attacking. A botnet can be used to make thousands of computers all try to connect to that server at the same time, flooding it with SYN packets that it has to process then send back the SYN/ACK packet to the originating computers. Those computers never send the final ACK packet, so the server is left waiting for it until the timeout is reached, preventing it from processing normal traffic. This is not an attack on YOUR machine, not incoming connections to your machine, and due to the way Little Snitch works, it can't stop all those TCP SYN packets from being sent, so if your computer has been compromised it could still be used as part of a SYN flood attack and Little Snitch can't stop it. (If someone tried to attack your PC with a SYN flood, your own network firewall/router should simply drop all those SYN packets because it's not supposed to allow incoming connections unless you have configured port forwarding. If your PC is directly connected to the Internet, the built-in firewall ought to do the same thing but it takes up your system resources to process the packets. Most Internet servers are behind some sort of firewall as well, but since the server DOES expect incoming connections, the firewall has to actually use some intelligence to identify whether they are valid SYN packets or a SYN flood.)

In the end, Little Snitch provides some additional protection from your computer being used for bad things if compromised (depending on the type of things being attempted), and some privacy protection for you by stopping things sending data you don't want sent, but nothing is 100% effective at those tasks. Using Little Snitch is not going to make you LESS secure. You'd still want to use things like ad blockers and web browser privacy settings to prevent data being sent, and Little Snitch helps to protect from those apps that you can't control directly.

Lord Evermore said:
I wouldn't say it's useless. It has its uses, depending on the concerns you have. An external firewall as @Paladin suggested is likely to cost you money as well, possibly quite a lot, either buying a pre-built piece of hardware or buying things like a Raspberry Pi and spending time learning and setting it up for yourself (or a low-end/used PC to run with firewall software in the same way). Some expensive consumer routers have firewall features even for outbound traffic, but most are not really well-designed and featureful in that aspect I think. But there are decent firewalls that just aren't well-known in the consumer space that aren't horribly expensive, a couple of or a few hundred dollars depending on what hardware features you need. And an external firewall covers your entire network, all devices, not just your one computer where you have Little Snitch installed. (But, it might not be as convenient for granular control, since you can't get a pop-up permission request for each application that tries to make a connection.)

On the software side, normal anti-malware stuff is a good idea at all times, no matter what your firewall, as well as using privacy settings in applications, ad blockers, etc., and not fucking around with downloads and websites that are risky, and that takes care of every reasonable aspect unless you're paranoid/strict about privacy. I personally wouldn't see any need for Little Snitch, I think, and I don't use any specialized firewall. I just make sure I'm fairly certain about the security of my computer and other devices, with anti-virus protection and not downloading things I'm not reasonably sure are safe, and I just accept some trade-off in privacy for less cost and effort having to continuously manage every single connection to try to avoid data gathering by Big Tech, because it's virtually impossible to get away from that sort of thing these days while still being online.

Thank you for the in depth explanation and information.

Lord Evermore · Jun 1, 2024

Area51Freak said:
Thank you for the in depth explanation and information.

Made the whole thing up, too. :biggreen:

Struxxffs · Jun 1, 2024

Lord Evermore said:
Made the whole thing up, too.

I'm not sure if you are joking.

To address understanding the concerns:

1. TCP SYN flood attack is similar to a DDOS attack.

2. TCP Packets can be used to make a connection by using the three way handshake. The packets will not be detected as they have no appilication data.

A outgoing firewall will not be able to protect me from this.

Lord Evermore · Jun 1, 2024

Area51Freak said:
I'm not sure if you are joking.

To address understanding the concerns:

1. TCP SYN flood attack is similar to a DDOS attack.

2. TCP Packets can be used to make a connection by using the three way handshake. The packets will not be detected as they have no appilication data.

A outgoing firewall will not be able to protect me from this.

Well not just made up. But I'd never heard of Little Snitch before so everything about it was all stuff I looked up in the moment. (I've done networking stuff for years and know what TCP SYN flood is and all that, though, and overall computer tech.) You've got the basic idea now, though, and it's up to you whether the cost of Little Snitch is worth the bit of added privacy and security. It's really not much different from someone paying for Norton 360 or ESET Internet Security or the like, except that those also include anti-virus/anti-malware software while Little Snitch is a very limited single-purpose program for pretty much the same price. (Mac users are used to paying higher prices for less product, and Mac antivirus products cost more, but even this is very limited value in my eyes because it's pretty expensive for one function.)

Paladin · Jun 1, 2024

There is a few weeks worth of information here on security and privacy for Macs. https://github.com/drduh/macOS-Security-and-Privacy-Guide
There is a product mentioned there called Murus that is a capable GUI for the built in PF firewall in Mac OS. That might be better than Little Snitch though it does mention that there is at least one case of a malware package that deletes itself if it finds Little Snitch installed. Though that malware is probably not viable anymore if it has been around a while.

Struxxffs · Jun 2, 2024

Paladin said:
There is a few weeks worth of information here on security and privacy for Macs. https://github.com/drduh/macOS-Security-and-Privacy-Guide
There is a product mentioned there called Murus that is a capable GUI for the built in PF firewall in Mac OS. That might be better than Little Snitch though it does mention that there is at least one case of a malware package that deletes itself if it finds Little Snitch installed. Though that malware is probably not viable anymore if it has been around a while.

Thank you! I did not know that they upgraded the guide for apple silicon. A lot of good information in here.

goates · Jun 3, 2024

Another alternative to Little Snitch is LuLu from Objective-See.

Objective-See: LuLu

objective-see.org

Lord Evermore · Jun 3, 2024

goates said:
Another alternative to Little Snitch is LuLu from Objective-See.

Objective-See: LuLu

objective-see.org

Odd that two companies producing basically the same product also have such similar names and neither has sued the other.

Struxxffs · Jun 3, 2024

Lord Evermore said:
I wouldn't say it's useless. It has its uses, depending on the concerns you have. An external firewall as @Paladin suggested is likely to cost you money as well, possibly quite a lot, either buying a pre-built piece of hardware or buying things like a Raspberry Pi and spending time learning and setting it up for yourself (or a low-end/used PC to run with firewall software in the same way).

I have been thinking of purchasing a used dell optiplex sff to run opnsense as it will allow floating firewall rules, vlan support, and the option to use free ips/ids (although, they do require training and I hear it can be a head ache).

Intel cpus (AES-NI) that are still supported with security updates, which will help determin the model of the dell sff to purchase is where im struggling to find out what used lower budget models to buy. How intel names their cpu is a bit confusing.

goates said:
Another alternative to Little Snitch is LuLu from Objective-See.

Objective-See: LuLu

objective-see.org

Thank you, I have looked at lulu before and it seems like its a good alternative.

Little Snitch Leaks IP

Ars Centurion

Ars Legatus Legionis

Ars Centurion

Ars Scholae Palatinae

Ars Centurion

Ars Praefectus

Ars Legatus Legionis

Ars Centurion

Ars Legatus Legionis

Ars Centurion

Ars Scholae Palatinae

Ars Scholae Palatinae

Ars Centurion

Ars Scholae Palatinae

Ars Centurion

Ars Scholae Palatinae

Ars Legatus Legionis

Ars Centurion

Ars Tribunus Militum

Ars Scholae Palatinae

Ars Centurion