Re: Can I protect myself against network attacks?

From: Gerald Vogt (vogt_at_spamcop.net)
Date: 02/15/05


Date: Tue, 15 Feb 2005 14:33:16 +0900

Bob Ladbury wrote:
> Today my home computer was under siege. Kaspersky anti-virus alerted
> me to network attacks under the names of "Helkern", "Lovesan" and "TCP
> Syn Flood" attack. There were *hundreds* of such attacks reported by
> KAV, from different IP addresses. The worst part is that somehow,
> something managed to crash my Kerio Personal Firewall 4.1, and it
> became disabled, following this message:
>
> "KPF.DLL driver. Exception occurred at address: 0x10076895. Exception
> code 0xC00000FD Firewall driver interface will be closed. "

I guess that was one purpose of the attack. And that's one more reason
why PFW often do such a bad job: they warn users of things of many
useless "threats". And if there are too many "attacks" causing too many
warning in the PFW it may cause the PFW to crash. This would not have
had happened if you just used the SP2 firewall which does not warn you
of those "attacks".

Why the quotes for "attacks"? If you connect to the internet you have an
IP address. Anyone can try to connect to this IP address, can send
packets there, do a ping or whatever. There is nothing you can do about
it. This is just like a door: you cannot prevent people from knocking on
the door or trying to use the handle to open it. Having said that, it
should become clear that those "warning" messages you describe are
absolutely useless: if the door is properly closed nothing can happen. A
firewall is there to close the door and it must not crash if someone
just does a legitimate "knock" on the door. In fact, the most useless
messages of PFW are those reporting "attacks" against ports that you
don't even use, no server is running on that port: it "protected" you
against a threat for which you are not vulnerable.

The SP2 firewall does a perfect job in closing all the open doors on
your system (if you configure no exceptions). It does not produce
useless "warnings" it just drops when someone tries to open a door which
Windows left open. No big overhead. No big crashes. Just reliable work
which does what it is supposed to do. Your PFW on the contrary gave the
attacker the real ability to do something: to annoy you with warnings,
that kept you from working, eventually crashed the PFW and maybe even
after that allowed him to intrude your system.

You can even go further, if you like: all those "open doors" that
Windows has are services running on your computer in the standard
configuration. Take the file sharing stuff: basically the services are
running, providing the services on ports. If you don't configure the
services properly or just shut them down people from the internet may
connect to it and - as we have seen in the past - exploit bugs to
intrude a system. You can actually configure a XP system that is does
not open an ports on your system. There are descriptions out there that
show you how. If you shutdown all services that listen to the internet,
closing all the ports, there is nothing for the attacker in the internet
left except the IP implementation itself which should - let's hope - be
free of major bugs. A system not offering incoming internet connections
to your computer does not even need a firewall: there is nothing to
attack because the IP stack simply discards any connection attempt to
your computer just the way it is supposed to do. (and again, no need to
warn you about a perfectly normal behaviour).

> Windows SP2 Security Center was active at the time, but it didn't say
> diddly to me to let me know that Kerio was no longer active. So much
> for a year's hard work on SP2 on the part of the engineers at Redmond.

Well, maybe you did not see it between all those warning messages until
it crashed.

> I did not find any Trojan activity after all this, no programs
> resident in memory or trying to dial out, and KAV said it suppressed
> the
> attempts.

It blocked them until it crashed I suppose. After that your system may
have been open and accessible depending on what exactly crashed and what
was still up and running...

> But I still feel very vulnerable and want to prevent these
> types of attacks (be they direct network attacks or trojans) from ever
> reaching far enough into my system to be caught by Kaspersky. Because
> what if a trojan or network attack comes in that isn't recognized by
> KAV, or manages to crash and disable KAV? I figure my machine is being
> specifically target by a hacker, because KAV reports new attacks
> within *seconds* of disabling the firewall.

Turn on the SP2 firewall. Don't allow exceptions. That should give you a
quite time until they give up. Try to figure out what service they
attack (I would say the file sharing but it is hard to tell without more
details). If you don't need file sharing, disable it and shut down the
services associated with it (set them to disabled). Check you
configuration with "netstat -a" in a command prompt window. Every line
with listening and every line with a UDP service is listening on the
network. A FW blocks traffic to these services but it would certainly
more efficient to shutdown the services which you don't need anyway.

> MY QUESTION IS THIS: Can a hardware firewall protect me against the
> network and trojan attacks described above? If so, does this include

A hardware firewall does protect you as well. It does not offer
"services" to the internet connection. It relays your outgoing traffic
into the internet and just accepts replies to this. Anybody scanning
your system would then see the situation as mentioned above with the
turned on SP2 FW or when all services are shutdown. (again, the SP2 FW
should give you pretty much the same as neither the SP2 FW nor the
hardware firewall send you any pop-ups or strange warnings) The hardware
firewall would become essential in my opinion if you would run a local
network with two computers that share files with file sharing. Then you
need the file sharing service and it gets a little bit tricky to
properly configure your XP (although even that is not impossible) with
internet connection sharing and file sharing to a local network.

Gerald



Relevant Pages

  • Can I protect myself against network attacks?
    ... me to network attacks under the names of "Helkern", ... There were *hundreds* of such attacks reported by ... KAV, from different IP addresses. ... code 0xC00000FD Firewall driver interface will be closed. ...
    (comp.security.firewalls)
  • Re: Hacking to Xp box
    ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
    (Pen-Test)
  • Re: Hacking to Xp box
    ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
    (Pen-Test)
  • RE: Hacking to Xp box
    ... I think there was a misunderstanding in the firewall point: ... Regarding ICMP backdoors, this technique was first use by some skilled guy ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ...
    (Pen-Test)
  • Re: Hacking to Xp box
    ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability ...
    (Pen-Test)