Re: Can I protect myself against network attacks?

From: Bob Ladbury (rladbury_at_kittymail.com)
Date: 02/15/05

  • Next message: ejfudd820_at_hotmail.com: "Re: Can't connect via VNC from work to home"
    Date: 15 Feb 2005 09:18:11 -0800
    
    

    Gerald Vogt <vogt@spamcop.net> wrote in message news:<42118998$0$975$44c9b20d@news2.asahi-net.or.jp>...
    > Bob Ladbury wrote:
    > > Today my home computer was under siege. Kaspersky anti-virus alerted
    > > me to network attacks under the names of "Helkern", "Lovesan" and "TCP
    > > Syn Flood" attack. There were *hundreds* of such attacks reported by
    > > KAV, from different IP addresses. The worst part is that somehow,
    > > something managed to crash my Kerio Personal Firewall 4.1, and it
    > > became disabled, following this message:
    > >
    > > "KPF.DLL driver. Exception occurred at address: 0x10076895. Exception
    > > code 0xC00000FD Firewall driver interface will be closed. "
    >
    > I guess that was one purpose of the attack. And that's one more reason
    > why PFW often do such a bad job: they warn users of things of many
    > useless "threats". And if there are too many "attacks" causing too many
    > warning in the PFW it may cause the PFW to crash. This would not have
    > had happened if you just used the SP2 firewall which does not warn you
    > of those "attacks".

    I don't think that's the way it crashed the PFW. In a similar attack a
    while
    back, I've seen the firewall crash before my eyes, without warning.
    And I had Kerio configured not to give me any warnings in any of my
    rules. So it seems that it can crash the driver almost instantly.
    Let's face it, SP2 firewall
    sucks; its only good for incoming threats, and even in that regard,
    I'm not sure how good it is. But as I understand, it loads even before
    your PFW. So now I intend to employ both the SP2 *and* Kerio (I read
    that you can do this without incident), in the hopes that if Kerio
    crashes, SP2 firewall will still protect me.

    >
    > Why the quotes for "attacks"? If you connect to the internet you have an
    > IP address. Anyone can try to connect to this IP address, can send
    > packets there, do a ping or whatever. There is nothing you can do about
    > it. This is just like a door: you cannot prevent people from knocking on
    > the door or trying to use the handle to open it. Having said that, it
    > should become clear that those "warning" messages you describe are
    > absolutely useless: if the door is properly closed nothing can happen.

    The message I described above wasn't a warning message, but simply an
    alert that something has gone wrong; issued I believe by Windows
    itself, not the PFW.
    (The firewall engine, as the message is saying, was no longer loaded,
    so it
    couldn't have been issued by Kerio). And yes, it was absolutely
    useless because it wasn't warning me of the threat, it was telling me
    my firewall was no longer activated. SP2's security center was
    supposed to 'officially' tell me that my
    firewall was no longer activated, but as mentioned, it didn't even do
    that!

    > A
    > firewall is there to close the door and it must not crash if someone
    > just does a legitimate "knock" on the door. In fact, the most useless
    > messages of PFW are those reporting "attacks" against ports that you
    > don't even use, no server is running on that port: it "protected" you
    > against a threat for which you are not vulnerable.

    This was no 'legitimate knock on the door', though. This was a flat
    out
    network attack on my system by Helkern and Lovesan; hundreds of times
    over from various IP addresses (Which I presume can not be traced to
    the
    attacker). Maybe the way the trick works is that the attacks come so
    rapidly,
    it overcomes the firewall's ability to intercept it, and causes the
    driver to
    crash after a time?

     
    > The SP2 firewall does a perfect job in closing all the open doors on
    > your system (if you configure no exceptions). It does not produce
    > useless "warnings" it just drops when someone tries to open a door which
    > Windows left open. No big overhead. No big crashes. Just reliable work
    > which does what it is supposed to do. Your PFW on the contrary gave the
    > attacker the real ability to do something: to annoy you with warnings,
    > that kept you from working, eventually crashed the PFW and maybe even
    > after that allowed him to intrude your system.

    NO, the attack never intruded my system, and I never got any other
    warnings than the one above about the driver closing. Now if hackers
    can cause Kerio driver to crash, I'm not so sure they can't cause
    SP2's dinky firewall to crash either. Don't forget, they can also
    engage the RPC service and cause the system to reboot (and then load
    any trojans they manage to list in the startup areas of your
    registry). This can disable Windows firewall even if its the first
    thing loaded on the system. I can't find a way to disable the service,
    which is a huge security risk to me, because Windows won't work
    without it. But I believe you can change the behavior of having it
    reboot the system.

    > You can even go further, if you like: all those "open doors" that
    > Windows has are services running on your computer in the standard
    > configuration. Take the file sharing stuff: basically the services are
    > running, providing the services on ports. If you don't configure the
    > services properly or just shut them down people from the internet may
    > connect to it and - as we have seen in the past - exploit bugs to
    > intrude a system. You can actually configure a XP system that is does
    > not open an ports on your system. There are descriptions out there that
    > show you how. If you shutdown all services that listen to the internet,
    > closing all the ports, there is nothing for the attacker in the internet
    > left except the IP implementation itself which should - let's hope - be
    > free of major bugs. A system not offering incoming internet connections
    > to your computer does not even need a firewall: there is nothing to
    > attack because the IP stack simply discards any connection attempt to
    > your computer just the way it is supposed to do. (and again, no need to
    > warn you about a perfectly normal behaviour).

    I do not have anything like a standard configuration on my computers.
    I've taken way too many trips to BlackViper for it to remain that way.
    That means I've disabled every single service that wasn't absolutely
    needed, particularly the ones that are known security risks (ie. SSDP
    discovery service). I've also taken trips to SheildsUp!, where every
    single one of those blocks on the all ports scan was green, indicating
    ALL my ports are stealthed and hidden from net probes. My Kerio shows
    when loaded that nothing but Kerio is listening to the net. I also
    have a drumtight top level ruleset courtesy of Spongebob, the malware
    guru (including a rule at the end which blocks everything the other
    rules didn't). Despite all these precautions, hackers still managed to
    disable my firewall like it wasn't there, and flood my system with
    network attacks, or trojans. (For the trojans, all I have to do is be
    on the wrong site at the wrong time and BAM! It's been downloaded to
    my system via the http port 80, which I *can't* close if I have any
    plans of using the internet. Then the next thing I know, the programs
    are loaded in my registry and starting up on the next boot, and then
    sending out data.

     
    > > Windows SP2 Security Center was active at the time, but it didn't say
    > > diddly to me to let me know that Kerio was no longer active. So much
    > > for a year's hard work on SP2 on the part of the engineers at Redmond.
    >
    > Well, maybe you did not see it between all those warning messages until
    > it crashed.

    No, dude. There was only one warning message on behalf of the firewall
    (the others were from KAV and one from GIANT antispyware). Secondly,
    there could have been a million messages, but they don't obscure the
    system tray, which is where the SP2 balloon *should* have appeared! Do
    you want to KNOW the actual reason why it didn't appear? I'll tell
    you. When I checked the center at the time, it said the firewall was
    on, despite the fact that Kerio's blue shield no longer showed in the
    system tray. So the truth is, SP2's so-called security center is
    useless; it totally failed me. THe whole SP2 pack hardly seems worth
    the extra 200-250MB of space it gobbles up on your drive. Unless
    you're into false senses of security...

     
    > > I did not find any Trojan activity after all this, no programs
    > > resident in memory or trying to dial out, and KAV said it suppressed
    > > the
    > > attempts.
    >
    > It blocked them until it crashed I suppose. After that your system may
    > have been open and accessible depending on what exactly crashed and what
    > was still up and running...

    Kaspersky didn't crash, and that's what saved my butt. My system was
    open and accessible insofar as the firewall was concerned, but
    Kaspersky is so darn good, it can block and warn of network attacks,
    trojans and the traditional viruses. (I somehow think Norton would
    have happily ignored all of this! If anyone knows for a fact whether
    Norton protects you against network attacks like Helkern, Lovesan or
    TCP Syn Flood attacks, please inform me if I'm wrong).

    > > But I still feel very vulnerable and want to prevent these
    > > types of attacks (be they direct network attacks or trojans) from ever
    > > reaching far enough into my system to be caught by Kaspersky. Because
    > > what if a trojan or network attack comes in that isn't recognized by
    > > KAV, or manages to crash and disable KAV? I figure my machine is being
    > > specifically target by a hacker, because KAV reports new attacks
    > > within *seconds* of disabling the firewall.
    >
    > Turn on the SP2 firewall. Don't allow exceptions. That should give you a
    > quite time until they give up. Try to figure out what service they
    > attack (I would say the file sharing but it is hard to tell without more
    > details). If you don't need file sharing, disable it and shut down the
    > services associated with it (set them to disabled).
    > Check your
    > configuration with "netstat -a" in a command prompt window. Every line
    > with listening and every line with a UDP service is listening on the
    > network. A FW blocks traffic to these services but it would certainly
    > more efficient to shutdown the services which you don't need anyway.

    File sharing was disabled on this PC. SP2 is now enabled, along with
    Kerio. I never used netstat though, and its interesting, but where can
    I go to get information to find out what these lines refer to, and
    whether I need or don't need them? I see lines saying these services
    (that I am not familiar with) are listening in: epmap, netbios-ssn,
    microsoft-ds, etc., and what appear to be port numbers. But I have no
    idea what should or can shutdown here, and how to do it.

    > > MY QUESTION IS THIS: Can a hardware firewall protect me against the
    > > network and trojan attacks described above? If so, does this include
    >
    > A hardware firewall does protect you as well. It does not offer
    > "services" to the internet connection. It relays your outgoing traffic
    > into the internet and just accepts replies to this. Anybody scanning
    > your system would then see the situation as mentioned above with the
    > turned on SP2 FW or when all services are shutdown. (again, the SP2 FW
    > should give you pretty much the same as neither the SP2 FW nor the
    > hardware firewall send you any pop-ups or strange warnings) The hardware
    > firewall would become essential in my opinion if you would run a local
    > network with two computers that share files with file sharing. Then you
    > need the file sharing service and it gets a little bit tricky to
    > properly configure your XP (although even that is not impossible) with
    > internet connection sharing and file sharing to a local network.
    >
    > Gerald

    Here's what I plan to do so far: get a router that has NAT firewall
    capability (like the LinkSys Etherfast), turn on SP2 firewall, return
    Kerio back to service (despite its ability to crash when a network
    attack bullies it, I know of no software firewall that's any better
    than it. If anyone knows of a firewall that is more likely to
    withstand these types of crashes, please let me know, and I'll try it
    out!). Also, disable RPC from rebooting, and whatever other holes I
    can plug up to strengthen my security. What I'd like to know, as
    mentioned in the title of my post, is after all this, will I finally
    be protected from the Helkern, Lovesan and TCP Syn Flood type attacks,
    or is there nothing I can do to have bulletproof network security on a
    home computer?!


  • Next message: ejfudd820_at_hotmail.com: "Re: Can't connect via VNC from work to home"

    Relevant Pages

    • Re: Dynamic Firewall/IDS System
      ... > (firewall, IDS, etc.) and reacting appropriately could be a good thing. ... > I don't think this is a description of snort. ... the network guys from the colo -- that they get or got attacked. ... we deploy packet filter log rules that indicate the attack. ...
      (FreeBSD-Security)
    • Re: Neither, buy a router.
      ... router for a home network? ... Would I still need a software firewall too? ... broadband-capable Virtual Private Network firewall is a true ... spoofing, land attack, tear drop attack, IP address sweep attack, Win Nuke ...
      (comp.security.firewalls)
    • Re: What does a firewall do?
      ... [cutting away lots of interesting stuff on AdaOS] ... > my question is, in essence, is there a form of attack that can be launched ... > arrangements) be preventable by using a firewall? ... is especially true if you consider the system to act as a network ...
      (comp.security.firewalls)
    • RE: most avtive attack type
      ... >firewall setup was outsourced and hasn't been touched since install. ... >> I was wondering what the most common type of attack to expect to get hit ... >> I will be protecting a MS based network. ... School Guide! ...
      (Focus-Microsoft)
    • RE: [Full-Disclosure] Sidewinder G2
      ... Secure Computing Sidewinder G2 Firewall Stops New High-Profile Sendmail ... Technology Prevents Sendmail Attack Warned About in CERT Advisory ...
      (Full-Disclosure)