firewall log - dns cache poisoning attack

Discussion in 'ESET Smart Security' started by techcafe, Feb 12, 2008.

Thread Status:
Not open for further replies.
  1. techcafe

    techcafe Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    13
    i've noticed that my ESS firewall log shows an alarming number of Detected DNS cache poisoning attack and Incorrect IP packet checksum events. there was also a Detected Reverse TCP Desynchronization attack event.

    the DNS cache poisoning events made reference to the IP address of my ISP's DNS servers (i verified the IPs) as the Source; and the Reverse Desync attack made reference to a source IP address belonging to a friend whom i was having a skype conversation with at the time.

    anyone else notice stuff like this in their firewall log?

    i should probably mention, i've enabled the Troubleshooting Log options at the bottom of the IDS and advanced options panel (under the Personal firewall tree), so perhaps i'm seeing stuff that isn't normally logged, since those two logging options are disabled by default.
     
    techcafe, Feb 12, 2008
    #1
  2. wrathchild

    wrathchild Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    170
    Location:
    Neoplantesis
    Probably false...but maybe not...who knows?! Bad thing is that you'll receive answers from members and not from ESET people.

    I wish to see the rules which block this type of attacks, not only checkboxes...only then we will know how ESS block this attacks!

    ESS had a lot of problems with firewall from early beta to final (not resolved yet)...and I simply don't trust in their firewall. I hope that in next version this segment will be much better.
     
    wrathchild, Feb 12, 2008
    #2
  3. JasSolo

    JasSolo Registered Member

    Joined:
    May 9, 2007
    Posts:
    414
    Location:
    Denmark
    I have the same attacks....tons of them. In fact every 4th minute or so.


    Cheers
     
    JasSolo, Feb 12, 2008
    #3
  4. Jenee

    Jenee Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    185
    I have the two log options you mentioned turned on and none of my PCs have those log entries that you mention except I have seen a couple of the reverse TCP Desynchronization.
    It may be that something is trying to get into your PC via the ports that are open legitimately.
     
    Jenee, Feb 13, 2008
    #4
  5. nickster_uk

    nickster_uk Registered Member

    Joined:
    Feb 14, 2006
    Posts:
    190
    I contacted ESET about this a while ago and they told me it was a bug in the firewall. While some may be genuine threats, it's unlikely all are especially if you see them getting logged every few seconds.

    They told me it would be addressed in future builds..but since then, a couple of new builds have been released but the problem persists.

    In the meantime, if it bothers you too much, you could always disable the 'DNS poisoning attack detection' option in the firewall options.

    Coincidently, I also use a couple of POP mail gadgets in my sidebar and whenever the 'DNS poisoning attack detection' option is enabled, I frequently get DNS errors and connection timeout errors in the gadgets, but as soon as it's disabled, everything works without a problem.

    Hope ESET sort this as it's a bit of a concern...although, aside from that, I think it's a great firewall/AV package.
     
    nickster_uk, Feb 13, 2008
    #5
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...