Re: Can I protect myself against network attacks?
From: Bob Ladbury (rladbury_at_kittymail.com)
Date: 15 Feb 2005 09:18:11 -0800
Gerald Vogt <email@example.com> wrote in message news:<firstname.lastname@example.org>...
> Bob Ladbury wrote:
> > Today my home computer was under siege. Kaspersky anti-virus alerted
> > me to network attacks under the names of "Helkern", "Lovesan" and "TCP
> > Syn Flood" attack. There were *hundreds* of such attacks reported by
> > KAV, from different IP addresses. The worst part is that somehow,
> > something managed to crash my Kerio Personal Firewall 4.1, and it
> > became disabled, following this message:
> > "KPF.DLL driver. Exception occurred at address: 0x10076895. Exception
> > code 0xC00000FD Firewall driver interface will be closed. "
> I guess that was one purpose of the attack. And that's one more reason
> why PFW often do such a bad job: they warn users of things of many
> useless "threats". And if there are too many "attacks" causing too many
> warning in the PFW it may cause the PFW to crash. This would not have
> had happened if you just used the SP2 firewall which does not warn you
> of those "attacks".
I don't think that's the way it crashed the PFW. In a similar attack a
back, I've seen the firewall crash before my eyes, without warning.
And I had Kerio configured not to give me any warnings in any of my
rules. So it seems that it can crash the driver almost instantly.
Let's face it, SP2 firewall
sucks; its only good for incoming threats, and even in that regard,
I'm not sure how good it is. But as I understand, it loads even before
your PFW. So now I intend to employ both the SP2 *and* Kerio (I read
that you can do this without incident), in the hopes that if Kerio
crashes, SP2 firewall will still protect me.
> Why the quotes for "attacks"? If you connect to the internet you have an
> IP address. Anyone can try to connect to this IP address, can send
> packets there, do a ping or whatever. There is nothing you can do about
> it. This is just like a door: you cannot prevent people from knocking on
> the door or trying to use the handle to open it. Having said that, it
> should become clear that those "warning" messages you describe are
> absolutely useless: if the door is properly closed nothing can happen.
The message I described above wasn't a warning message, but simply an
alert that something has gone wrong; issued I believe by Windows
itself, not the PFW.
(The firewall engine, as the message is saying, was no longer loaded,
couldn't have been issued by Kerio). And yes, it was absolutely
useless because it wasn't warning me of the threat, it was telling me
my firewall was no longer activated. SP2's security center was
supposed to 'officially' tell me that my
firewall was no longer activated, but as mentioned, it didn't even do
> firewall is there to close the door and it must not crash if someone
> just does a legitimate "knock" on the door. In fact, the most useless
> messages of PFW are those reporting "attacks" against ports that you
> don't even use, no server is running on that port: it "protected" you
> against a threat for which you are not vulnerable.
This was no 'legitimate knock on the door', though. This was a flat
network attack on my system by Helkern and Lovesan; hundreds of times
over from various IP addresses (Which I presume can not be traced to
attacker). Maybe the way the trick works is that the attacks come so
it overcomes the firewall's ability to intercept it, and causes the
crash after a time?
> The SP2 firewall does a perfect job in closing all the open doors on
> your system (if you configure no exceptions). It does not produce
> useless "warnings" it just drops when someone tries to open a door which
> Windows left open. No big overhead. No big crashes. Just reliable work
> which does what it is supposed to do. Your PFW on the contrary gave the
> attacker the real ability to do something: to annoy you with warnings,
> that kept you from working, eventually crashed the PFW and maybe even
> after that allowed him to intrude your system.
NO, the attack never intruded my system, and I never got any other
warnings than the one above about the driver closing. Now if hackers
can cause Kerio driver to crash, I'm not so sure they can't cause
SP2's dinky firewall to crash either. Don't forget, they can also
engage the RPC service and cause the system to reboot (and then load
any trojans they manage to list in the startup areas of your
registry). This can disable Windows firewall even if its the first
thing loaded on the system. I can't find a way to disable the service,
which is a huge security risk to me, because Windows won't work
without it. But I believe you can change the behavior of having it
reboot the system.
> You can even go further, if you like: all those "open doors" that
> Windows has are services running on your computer in the standard
> configuration. Take the file sharing stuff: basically the services are
> running, providing the services on ports. If you don't configure the
> services properly or just shut them down people from the internet may
> connect to it and - as we have seen in the past - exploit bugs to
> intrude a system. You can actually configure a XP system that is does
> not open an ports on your system. There are descriptions out there that
> show you how. If you shutdown all services that listen to the internet,
> closing all the ports, there is nothing for the attacker in the internet
> left except the IP implementation itself which should - let's hope - be
> free of major bugs. A system not offering incoming internet connections
> to your computer does not even need a firewall: there is nothing to
> attack because the IP stack simply discards any connection attempt to
> your computer just the way it is supposed to do. (and again, no need to
> warn you about a perfectly normal behaviour).
I do not have anything like a standard configuration on my computers.
I've taken way too many trips to BlackViper for it to remain that way.
That means I've disabled every single service that wasn't absolutely
needed, particularly the ones that are known security risks (ie. SSDP
discovery service). I've also taken trips to SheildsUp!, where every
single one of those blocks on the all ports scan was green, indicating
ALL my ports are stealthed and hidden from net probes. My Kerio shows
when loaded that nothing but Kerio is listening to the net. I also
have a drumtight top level ruleset courtesy of Spongebob, the malware
guru (including a rule at the end which blocks everything the other
rules didn't). Despite all these precautions, hackers still managed to
disable my firewall like it wasn't there, and flood my system with
network attacks, or trojans. (For the trojans, all I have to do is be
on the wrong site at the wrong time and BAM! It's been downloaded to
my system via the http port 80, which I *can't* close if I have any
plans of using the internet. Then the next thing I know, the programs
are loaded in my registry and starting up on the next boot, and then
sending out data.
> > Windows SP2 Security Center was active at the time, but it didn't say
> > diddly to me to let me know that Kerio was no longer active. So much
> > for a year's hard work on SP2 on the part of the engineers at Redmond.
> Well, maybe you did not see it between all those warning messages until
> it crashed.
No, dude. There was only one warning message on behalf of the firewall
(the others were from KAV and one from GIANT antispyware). Secondly,
there could have been a million messages, but they don't obscure the
system tray, which is where the SP2 balloon *should* have appeared! Do
you want to KNOW the actual reason why it didn't appear? I'll tell
you. When I checked the center at the time, it said the firewall was
on, despite the fact that Kerio's blue shield no longer showed in the
system tray. So the truth is, SP2's so-called security center is
useless; it totally failed me. THe whole SP2 pack hardly seems worth
the extra 200-250MB of space it gobbles up on your drive. Unless
you're into false senses of security...
> > I did not find any Trojan activity after all this, no programs
> > resident in memory or trying to dial out, and KAV said it suppressed
> > the
> > attempts.
> It blocked them until it crashed I suppose. After that your system may
> have been open and accessible depending on what exactly crashed and what
> was still up and running...
Kaspersky didn't crash, and that's what saved my butt. My system was
open and accessible insofar as the firewall was concerned, but
Kaspersky is so darn good, it can block and warn of network attacks,
trojans and the traditional viruses. (I somehow think Norton would
have happily ignored all of this! If anyone knows for a fact whether
Norton protects you against network attacks like Helkern, Lovesan or
TCP Syn Flood attacks, please inform me if I'm wrong).
> > But I still feel very vulnerable and want to prevent these
> > types of attacks (be they direct network attacks or trojans) from ever
> > reaching far enough into my system to be caught by Kaspersky. Because
> > what if a trojan or network attack comes in that isn't recognized by
> > KAV, or manages to crash and disable KAV? I figure my machine is being
> > specifically target by a hacker, because KAV reports new attacks
> > within *seconds* of disabling the firewall.
> Turn on the SP2 firewall. Don't allow exceptions. That should give you a
> quite time until they give up. Try to figure out what service they
> attack (I would say the file sharing but it is hard to tell without more
> details). If you don't need file sharing, disable it and shut down the
> services associated with it (set them to disabled).
> Check your
> configuration with "netstat -a" in a command prompt window. Every line
> with listening and every line with a UDP service is listening on the
> network. A FW blocks traffic to these services but it would certainly
> more efficient to shutdown the services which you don't need anyway.
File sharing was disabled on this PC. SP2 is now enabled, along with
Kerio. I never used netstat though, and its interesting, but where can
I go to get information to find out what these lines refer to, and
whether I need or don't need them? I see lines saying these services
(that I am not familiar with) are listening in: epmap, netbios-ssn,
microsoft-ds, etc., and what appear to be port numbers. But I have no
idea what should or can shutdown here, and how to do it.
> > MY QUESTION IS THIS: Can a hardware firewall protect me against the
> > network and trojan attacks described above? If so, does this include
> A hardware firewall does protect you as well. It does not offer
> "services" to the internet connection. It relays your outgoing traffic
> into the internet and just accepts replies to this. Anybody scanning
> your system would then see the situation as mentioned above with the
> turned on SP2 FW or when all services are shutdown. (again, the SP2 FW
> should give you pretty much the same as neither the SP2 FW nor the
> hardware firewall send you any pop-ups or strange warnings) The hardware
> firewall would become essential in my opinion if you would run a local
> network with two computers that share files with file sharing. Then you
> need the file sharing service and it gets a little bit tricky to
> properly configure your XP (although even that is not impossible) with
> internet connection sharing and file sharing to a local network.
Here's what I plan to do so far: get a router that has NAT firewall
capability (like the LinkSys Etherfast), turn on SP2 firewall, return
Kerio back to service (despite its ability to crash when a network
attack bullies it, I know of no software firewall that's any better
than it. If anyone knows of a firewall that is more likely to
withstand these types of crashes, please let me know, and I'll try it
out!). Also, disable RPC from rebooting, and whatever other holes I
can plug up to strengthen my security. What I'd like to know, as
mentioned in the title of my post, is after all this, will I finally
be protected from the Helkern, Lovesan and TCP Syn Flood type attacks,
or is there nothing I can do to have bulletproof network security on a