Re: Can I protect myself against network attacks?

From: Joe Samangitak (joesamang_at_address.com)
Date: 02/16/05


Date: 15 Feb 2005 23:48:55 -0800

Gerald Vogt <vogt@spamcop.net> wrote in message news:<42129887$0$975$44c9b20d@news2.asahi-net.or.jp>...

> Bob Ladbury wrote:
> > I'm not sure how good it is. But as I understand, it loads even before
> > your PFW. So now I intend to employ both the SP2 *and* Kerio (I read
> > that you can do this without incident), in the hopes that if Kerio
> > crashes, SP2 firewall will still protect me.
>
> Two firewalls are generally a very bad idea, because they can interfere
> with each other ending up in undefined states. If one firewall drops
> something that the other one needs for SPI you are lost...

I consider the SP2 PFW "half a firewall", and many I've read say it
can peacefully coexist with a PFW. WE'll see!
 
> a) how do you know that the system was never intruded. Didn't you say
> that your AV did pop-up? That means there was something on the system
> even if maybe the AV did prevent it from running. You believe nothing
> happened because you got no message telling you otherwise, which however
> does not exist anyway.

No, its the opposite. I got a message from KAV telling me nothing
happened because it suppressed the attack. The system was *attacked*
but it wasn't *successfully* attacked. Whether you want to say it was
"intruded" is a question of semantics. And in case you think KAV
might be lying to me, I know it wasn't successfully attacked, simply
because there are effects from the attack; no trojans sending data out
or listening in, and no virus or trojans from a system scan via KAV. I
didn't say "nothing happened" either. After all, the attacks did
manage to disable my firewall...

> They cannot engage the RPC service on my system because the RPC service
> is not listening to the internet on my computer. Look out for rpccfg
> from the MS resource kit. It allows you to configure RPC. Again: it is
> possible to configure Windows in a way that no services are listening to
> the internet either because they have been shutdown or they have been
> reconfigured to listen to the loopback only.

I told you I disabled every service I could disable and still keep my
system running, but I'm not sure if RPC is listening. I see some
LSASS, SYSTEM and SERVICE names listening in, according to KPFW. But
according to Sheild's Up, ALL of my ports are stealthed. So from the
point of view of someone on the outside pinging me for open ports,
isn't that the same as having the RPC service not listening?
 
> > on the wrong site at the wrong time and BAM! It's been downloaded to
> > my system via the http port 80, which I *can't* close if I have any
>
> Yes, because you have the malware already running on your system. Your
> outgoing firewall did not help at all here... See?

No, you don't get it. It's not because I have the malware already
running, it's because it's coming through on port 80, which I need
open to surf the net. THe firewall doesn't stop it from coming in
simply because I haven't configured it to block port 80 (or any of the
other browser ports that I need to remain open), and once it came in,
well it didn't stop it from sending data out, simply because the
firewall was no longer active at this point.

> You don't get it. The security center cannot check the proper status of
> all and any firewall and antivirus software. It is the responsibilty of
> the PFW or AV maker to message the current state to the security center.
> The security center only relays information that it gets from the PFW or
> AV software.

Stupid question: why do I need SP2's Security Center if my firewall is
capable of telling SC whether it is active or not? Do you see where
I'm going here? Instead of relaying the information to SC and have SC
relay it back to me, the firewall can simply tell me directly whether
it is or isn't active, and then I wouldn't need to use up resources
running SC. Therefore, as you explain it, Security Center is even more
useless than I first mentioned.

I assumed, like a lot of people I imagine, it was the job of SC to
monitor the firewall to check if it is active. But you're saying its
up to the firewall to tell SC when it isn't active. But how does it
possible to do this if the program isn't active?

> Anything else is not really possible. How should you write
> a software that definitively and correctly figures out whether software
> XYZ is correctly running and working?

That's pretty simple, I can imagine a number of ways it could be done.
Starting with the fact that Windows can monitor what services are or
aren't active in memory, and know what has been taken out of memory
(example, if you try to delete certain system processes in task
manager, you'll get a warning telling you you can't do that). The SPF
system can even monitor what files you're trying to delete off the
hard drive. It's Windows job to know what programs are loaded in
memory, and to manage them. Ergo, it can know what is no longer active
either by the address space used, or by any number of other markers.

> The only one who knows this is the
> PFW/AV maker because he knows how the whole thing works and when
> something fails. The security center did not fail on you. It was the PFW
> software which still reported the PFW up and running while it actually
> was not. Microsoft cannot invent some misterious algorithm to detected
> failed PFW... You have the wrong expectations.

Microsoft claims Security Center can warn you if your firewall is no
longer working, and I never saw them say any caveats to the contrary,
so long as your software has been established to work with SC. Most
people who install SC have the expectation of it protecting them if
they're firewall goes south, which is what it is designed to do. Why
would you think they would have any other expectation?

> If your AV software tells
> the security center it is up and running and up-to-date, the security
> center won't tell anything else. The existance or absence of a system
> tray icon does not say anything about the status of the software even if
> it was an indication for you that it did not work.

I'm sorry, but the fact that task manager showed Kerio was no longer
in memory pretty much said the absence of the status tray icon was not
a coincidence. The PFW software didn't tell SC anything, since it was
no longer active. This is where SC SHOULD have been having bells go
off. Remember, under normal circumstances, when I turn off the
firewall, SC DOES pop up an alert. Under a network attack, according
to my experiences, SC packs up its bags and dives under the bed, and
shuts up until the intruder leaves.
 
> > Kaspersky didn't crash, and that's what saved my butt. My system was
> > open and accessible insofar as the firewall was concerned, but
> > Kaspersky is so darn good, it can block and warn of network attacks,
> > trojans and the traditional viruses. (I somehow think Norton would
> > have happily ignored all of this! If anyone knows for a fact whether
> > Norton protects you against network attacks like Helkern, Lovesan or
> > TCP Syn Flood attacks, please inform me if I'm wrong).
>
> A properly configured Windows with no services listening to the
> internet. You don't even need the SP2 firewall then. The only thing
> someone can attack then is the IP stack but, well, you can't live
> without that one if you want to use the internet.

Believe me, I would love to eliminate those remaining services,
whatever the heck they are (mostly hidden under the names "SVCHOST" or
"SYSTEM"), that insist on listening to the net. But that would bring
my system to a crashing halt, and things would be breaking all over
the place. That's why I have a firewall, so that while they may be
listening in, outside forces should not be able to hear them. But it
seems there are still some ways intruders can succeed at causing harm,
and it those that have to be looked at. So far, the vulnerabilities
are trojans coming in on port 80, and direct network attacks that
flood my system and crash the PFW, straight from the net.

> But I still don't get what has happened? What did Kaspersky detect? I
> suppose you had file sharing listening to the internet and someone
> attempted to copy something to your hard drive which your AV detected.
> Else, if you had already something running on your computer which tried
> to download something, you were already infected and obviously your AV
> failed already...
>

No, I did not have file sharing on. As mentioned, long before I got
hit, I disabled things in my XP Pro system that even Bill Gates
doesn't know about.
This was not and never was a networked system, so I had no reason to
even have file sharing on. I already mentioned what KAV detected: the
network attacks of Helkern, Lovesan and TCP Syn Flood. I was not
already infected either, I had done a recent scan. And as mentioned, I
never got infected by anything even after the attack.

> O.K. netstat -a -o gives you all the ports with all pids. tasklist /svc
> gives you the services running on the pids and the exe. (check out the
> other options of netstat and tasklist and play around a little with it).
> "sc query" does list you all the services with state and the service
> name which you find with tasklist /svc. The display name is the one you
> should recognize from services.msc For RPC you need rpccfg to rebind it
> as Windows cannot live without RPC.
 
Thanks for this, I had never heard of tasklist or rpccfg.

> I know a site in German that describes how to shutdown everything and
> how to do it. There is even a script that does it automatically for you.

What's the point of that, if you are cutting yourself off from being
able to use your PC?

> First, there is always potential danger because of what you do. If you
> live a risky life you have to accept the danger.

I don't live a risky life! I'm not asking for problems. Rather, I've
already done more than most to try to protect myself from net threats.
I simply have a simple non-networked home computer system with a high
speed modem, like many others. I simply want to be able to use it,
without fear that I'll be hit by a net-based attack of some sort, when
I'm away from it or on it. What's the point of accessing the net if
you can't be safe, no matter what you do?

> Second, there are
> always vulnerabilites. Third, there is always a random chance for an
> intruder, maybe like the one crashing your PFW, just by trying.

I'm curious to know whether these attacks are from a random intruder
trying to crash my system, or a hacker scanning a wide range of
systems to do this. I dont' know if you're aware of this, but the
network attacks I received are becoming the scourge of the internet,
according to what I read. DOS is the new major threat on the horizon
that could really cause widespread destruction, for which there
currently is no cureall solution for. Best you can do is slow it down,
but not stop the threat.