Re: Can I protect myself against network attacks?

From: Gerald Vogt (vogt_at_spamcop.net)
Date: 02/16/05


Date: Wed, 16 Feb 2005 21:16:48 +0900

Joe Samangitak wrote:
> Gerald Vogt <vogt@spamcop.net> wrote in message news:<42129887$0$975$44c9b20d@news2.asahi-net.or.jp>...
>>Bob Ladbury wrote:
>>>I'm not sure how good it is. But as I understand, it loads even before
>>>your PFW. So now I intend to employ both the SP2 *and* Kerio (I read
>>>that you can do this without incident), in the hopes that if Kerio
>>>crashes, SP2 firewall will still protect me.
>>
>>Two firewalls are generally a very bad idea, because they can interfere
>>with each other ending up in undefined states. If one firewall drops
>>something that the other one needs for SPI you are lost...
>
> I consider the SP2 PFW "half a firewall", and many I've read say it
> can peacefully coexist with a PFW. WE'll see!

The number of firewalls does not work mathematically. 1+1 may be a dead
system ;-). I also think it should be O.K. but I just wanted to point
out that it may have unwanted and surprising effects at times...

> No, its the opposite. I got a message from KAV telling me nothing
> happened because it suppressed the attack. The system was *attacked*
> but it wasn't *successfully* attacked. Whether you want to say it was

O.K. Maybe KAV does more than I expect from a AV. Usually AV detect
patterns in files therefore I thought if KAV intervenes there must be
something there already, even if it is not running and KAV deletes it
immediatly from your disk again..

> "intruded" is a question of semantics. And in case you think KAV
> might be lying to me, I know it wasn't successfully attacked, simply
> because there are effects from the attack; no trojans sending data out
> or listening in, and no virus or trojans from a system scan via KAV. I

O.K. This is exactly what you do not know. I think this is the case but
you don't know. Your security of your system was compromised. The attack
did affect your system. You don't know the objective of the attack. It
does not take much to craft a backdoor into your system that KAV won't
detect because it does not know about it. An exploit in your Kerio may
have given the attacker administrator access and first thing after that
was to reconfigure your AV and PFW to let the injected code run
silently. Maybe something is running on your computer and maybe it is
just waiting for a timeframe when the computer is turned on and you are
away so you won't notice when all of a sudden something starts sending
out e-mails. I don't know what has happened but all what I wrote before
is possible, not even difficult to do and may have happened. Did you for
example go through the complete configuration of your AV and PFW and
checked all settings for example?

In my opinion, the only way to be half way sure that nothing happened
would be to run a compare of your complete system against a recent
backup and note all the differences. Certainly you should do this
booting from a safe utility CD or something. If you know that there is
no suspicious file on the system or something suspicious has changed in
a system directory, then I think you might say "you know" under certain
constraints.

Anyway, let's hope you are right...

> I told you I disabled every service I could disable and still keep my
> system running, but I'm not sure if RPC is listening. I see some
> LSASS, SYSTEM and SERVICE names listening in, according to KPFW. But
> according to Sheild's Up, ALL of my ports are stealthed. So from the
> point of view of someone on the outside pinging me for open ports,
> isn't that the same as having the RPC service not listening?

Well the big difference is, if the RPC service is listening on the
internet interface and someone disables your PFW as has happended to
you, all of a sudden the RPC service is available from the internet.
This may have been one objective of the attack: to run an RPC exploit
after it disabled the firewall. If you have nothing listening to the
internet, you would not even need the firewall because no service is
listening and the IP stack would just drop packets for any port.

> No, you don't get it. It's not because I have the malware already
> running, it's because it's coming through on port 80, which I need
> open to surf the net. THe firewall doesn't stop it from coming in
> simply because I haven't configured it to block port 80 (or any of the
> other browser ports that I need to remain open), and once it came in,
> well it didn't stop it from sending data out, simply because the
> firewall was no longer active at this point.

Maybe I don't get it. But there are to completely different things:
out-going connections to port 80 and in-coming connections to port 80. A
normal firewall would allow access from the inside to the outside port
80 because that is what you need for your browser. In-coming connections
don't have be to blocked on port 80 because either you are running a web
server and that's a completely different story or you are running no web
server, which means nothing is listening on port 80. If you want you can
let your PFW block in-coming port 80 but that won't affect your
web-browsing.

I think I don't understand what you mean with "coming through on port
80". You cannot mean the remote port 80 because you were attacked and it
did not happen while you were browsing. Second, you say "it didn't stop
it from sending data out". That would mean again, that you were actually
compromised?

> Stupid question: why do I need SP2's Security Center if my firewall is
> capable of telling SC whether it is active or not? Do you see where
> I'm going here? Instead of relaying the information to SC and have SC
> relay it back to me, the firewall can simply tell me directly whether
> it is or isn't active, and then I wouldn't need to use up resources
> running SC. Therefore, as you explain it, Security Center is even more
> useless than I first mentioned.

The security center is as the named indicates a place that is supposed
to collect security relevant information and present them from a single
point of view. It is a center which just surveys the status reports from
other components. It reminds you if you don't update your virus
definitions for a week or so. But it knows that only because it was told
from the AV software. It is an attempt to combine security in one place,
eventually maybe with only one tray icon with all security relevant
information instead of three or so... It is a design decision that you
may consider useless but I think it is just supposed to simplify things.

> I assumed, like a lot of people I imagine, it was the job of SC to
> monitor the firewall to check if it is active. But you're saying its
> up to the firewall to tell SC when it isn't active. But how does it
> possible to do this if the program isn't active?

If the program is not active at all there is nothing to communicate with
and the SC can detect that. This is possible. Anything else beyond that
is a problem of the PFW or AV software. If you can deactivate your
firewall with your PFW tray icon how on earth should some other software
like the SC know that the PFW is deactivated now? It is just impossible
to tell unless the PFW tells the SC. The PFW and AV should be designed
in a way that a failure in an important component does in fact signal
the SC. But have you ever looked of how many components and services
your PFW or AV consists? It is very complex. The SC cannot make
assumptions about every possible design to tell if process XY is not
running or not responding in time there is a problem...

> memory, and to manage them. Ergo, it can know what is no longer active
> either by the address space used, or by any number of other markers.

As I wrote before. You cannot necessarily know which of the processes is
actually the critical one. And anyhow, why do you think that a process
was terminated when you found out that the firewall was gone? Maybe the
process was still running, maybe even responding to windows messages,
but it was not active anymore doing its job. Processes may be running
and may be in a deadlock waiting for ever. To make a exact decision if
something is actually running and working or not requires a lot of
insight into the design of the software you want to monitor. Something
that SC does not have and that all those PFW and AV makers probably
don't want to tell others in details anyway.

> Microsoft claims Security Center can warn you if your firewall is no
> longer working, and I never saw them say any caveats to the contrary,

Well it warns you, if you turn off the firewall. But as everything else,
nothing works 100% reliable. And in this case, much has to do with the
PFW maker, which was the reason while PFWs and AVs have to be certified
i.e. tested with SP2 to check that it interoperates properly.

> so long as your software has been established to work with SC. Most
> people who install SC have the expectation of it protecting them if
> they're firewall goes south, which is what it is designed to do. Why

Well, I never expected that from the SC and Microsoft does not claim
that. Read http://support.microsoft.com/kb/883792/en-us where it
basically says that they rely on the manufacturer information.

(In a sense, there is again the wrong conclusion in thinking like in the
use of the security stuff in the first hand: you see how it works under
normal circumstances and that it warns you if you turn your AV off. From
that you assume that this will always be the case which however nobody
claimed nor can be achieved.)

> I'm sorry, but the fact that task manager showed Kerio was no longer
> in memory pretty much said the absence of the status tray icon was not
> a coincidence. The PFW software didn't tell SC anything, since it was
> no longer active. This is where SC SHOULD have been having bells go

In this case the Kerio process is probably not the one communicating
directly with the SC and there is another component that actually relays
the status information of the firewall. Or maybe the exchange protocol
is designed badly that it does not change status if it cannot
communicate with the other process anymore. My guess would be the first
one...

> off. Remember, under normal circumstances, when I turn off the
> firewall, SC DOES pop up an alert. Under a network attack, according
> to my experiences, SC packs up its bags and dives under the bed, and
> shuts up until the intruder leaves.

Here again you conclude from "normal" behaviour and expect that this
always work the same anytime. The first thing that packed up its bag was
  the PFW.

> Believe me, I would love to eliminate those remaining services,
> whatever the heck they are (mostly hidden under the names "SVCHOST" or
> "SYSTEM"), that insist on listening to the net. But that would bring

Well, you have to identify them and shut them down. If you tell me
exactly which services there are, then I might give you the right
pointers. You know the commands for that now. The RPC service must run,
but can be rebound...

> my system to a crashing halt, and things would be breaking all over
> the place. That's why I have a firewall, so that while they may be
> listening in, outside forces should not be able to hear them. But it

Exactly what the SP2 firewall does.

> seems there are still some ways intruders can succeed at causing harm,
> and it those that have to be looked at. So far, the vulnerabilities
> are trojans coming in on port 80, and direct network attacks that
> flood my system and crash the PFW, straight from the net.

Well, turn on the SP2 firewall with no exceptions. And please elaborate
what you mean with "coming in on port 80" as there are actually two port
80 and I am still not sure which you mean...

> This was not and never was a networked system, so I had no reason to
> even have file sharing on. I already mentioned what KAV detected: the
> network attacks of Helkern, Lovesan and TCP Syn Flood. I was not
> already infected either, I had done a recent scan. And as mentioned, I
> never got infected by anything even after the attack.

O.K. I admit, I have no idea what KAV does exactly. It seems to scan
network traffic as well.

>>I know a site in German that describes how to shutdown everything and
>>how to do it. There is even a script that does it automatically for you.
>
> What's the point of that, if you are cutting yourself off from being
> able to use your PC?

Ooops. Sorry. I meant "shutdown everything unnecessary". Shutting down
everything would work, too, obviously, but would really be useful in the
end... I meant what you tried to do: shutting down all those unnecessary
services running on a standard windows installation and thereby in the
end closing all the open ports on the internet...

> I'm away from it or on it. What's the point of accessing the net if
> you can't be safe, no matter what you do?

There is no 100% safety and security. Nothing can protect absolutely
reliably protect your home from buglars. In the same sense you can do
nothing if someone decides to flood your IP address. Your connection is
dead until either the attacker gets bored, you do a DHCP renew to get a
different IP address (which most ISPs don't do anymore) or you contact
your ISP to either assign you a different IP address or block the
incoming traffic somewhere on their edge router. There is nothing more
possible in this respect. (You cannot prevent someone blocking your
phone line by constantly calling you either which some dumb fax machines
reportedly do...)

You can influence how likely an attacker is to actually intrude your
system. Keep your system up-to-date. The stupidest people in my eyes are
always those where the attacked exploited a vulnerability which is long
know and long fixed. If you have a machine that is only be used for
outgoing stuff as yours is, shutting down all unnecessary server
services which windows unfortunately runs by default is a very good
idea. As I said it is possible to configure Windows in such way that
there is nothing left which listens to the internet. You don't need the
SP2 FW nor an PFW then anymore, because the IP stack itself does already
block any unwanted incoming traffic and that is the most efficient place
to do it. A FW would just add complexity and the efficiency suffers.

If you do that, you have pretty much all the network security that is
possible for a simple system which you use for browsing and e-mail. The
system security (protection against virus etc.) is then another topic
which we could discuss endlessly.

> I'm curious to know whether these attacks are from a random intruder
> trying to crash my system, or a hacker scanning a wide range of
> systems to do this. I dont' know if you're aware of this, but the

I would say someone scanned for people with Kerio firewalls and focussed
on a couple of them hoping that once the Kerio is down it could use
another exploit to take over the machine.

> network attacks I received are becoming the scourge of the internet,
> according to what I read. DOS is the new major threat on the horizon

No. I don't think it will come that far. But you cannot do much about it
like you can do nothing about someone blocking you phone line. These
problems must be solved by the ISPs. There is a lot of research in
computer science that tries to find the best ways to detect and fight
DoS attacks. There are good solutions out there but as always technical
progress is much faster where you can make $$$. Adding security does the
contrary: it costs. (I always thought at those ancient dial-up times
that ISP have no interest in fighting spam mail because they actually
make money when you download it to your computer. Now with flat-rate,
high-speed it changes...)

> that could really cause widespread destruction, for which there
> currently is no cureall solution for. Best you can do is slow it down,
> but not stop the threat.

The ISP has to trace the attack back to its source and cut the line
there. This often requires much communication between different ISPs
because the packets cross many ISPs on their way. For a DDoS it gets
harder but even then it is not impossible...

But the funny thing in a way is: in all cases the resources used in a
DoS or DDoS are infected machines, which have been taken over earlier...

Gerald