Denial of Service attack!!

I just want to share to you guys what I've experienced this past week.

I've been using the final version of Sygate Personal Firewall for about 2 years now, and yesterday I had to part ways with the good ol' trusty firewall.

My internet connection has stopped responding in the network for about a week.
I called up my ISP. They did some fixes, and I did a lot of troubleshooting.

My connection randomly connects and disconnects in the network.
I had to reboot in order to get it working back again.
I had a suspicion that it could have something to do with my firewall.
Alas, I decided to download and install PC Tools Firewall to replace SPF.

And guess what?
My internet connection is up and running again.
PC Tools Firewall has a built-in block for Denial of Service attacks (I dunno if CPF3 or OA Firewall also have it).

I might go back to SPF and customize the ruleset for this type of attack.
But so far, I'm quite pleased with my new firewall.

 

pc tools firewall has SPI stateful packet inspection
also there's some other firewalls has similar functions like

-outpost fiirewall "superior in arp filtering and DOS and DDOS attacks"
-comodo firewall "arp packet filtering "
-lavasoft firewall "has the same outpost engine"
-sygate firewall "antispoofing properties" but i think u didn't activate it when u used sfp
-jetico firewall "u can make rules for arp packet filtering and DOS ttacks

however , generally , the firewall ability for arp filtering , SPI , DOS , and DDOS attack protection ,, is still questionable


on the other hand , the rest of firewalls contain NO such arp filtering functions , moreover some of them have problems with arp packet filtering on the lan like online armor firewall as shown in the quote below


https://www.wilderssecurity.com/showthread.php?t=216843&page=5

 

Hm. I cannot understand how it is possible not to have ARP filtering and cause ARP problems in the same time. Surely OA has ARP filtering, it helps against ARP spoofing in some extent (in the same extent as others do). They just do not promote this as a key feature because generally those "full ARP protection" claims are groundless. BTW, OA v3 has another useful option: "Filter invalid MAC addresses".

 

From your description it could well of been driver problems as easily as it could of been a DOS. Do you have any logging that would indicate a DOS?

- Stem

 

The last time I checked, PC tools firewall packet filtering it was (reported as, and seen as) just a basic check on the initial connection (3 way handshake) as now been improved? I will need to check

An area you would need to expand on.
For example a DOS could be just a single packet or single stream that then can cause the TCP/IP stack OR the firewall in question problems.
A DDOS is a distributed attack, which is usually seen as a very large amount of packets coming from a large number of different locations and is usually intent of taking away the bandwidth of the attacked server/PC.

I know filtering can block DOS, but what protection is there from a DDOS


- Stem

 

hi Alex_s
a good question , i also ask the same
but may you ask this to Mike or Stem

that's not true, all of as know that OA v2.0 has no arp filtering
Mike has declared this many times and in several locations here and in OA forum
i asked him many times about such featues and u can check the forum there u will find 2 threads by me on the same subject

i hope a leading firewall like OA will include arp filtering in the current beta 3.0
i don't know if the current beta has this or not , i didn't test ur
Stem may tell us about that
but generall , i had promises from Mike in the past about arp filtering features

i said it still questionable
but for the writer of this thread and for me it was somewhat usefull in many circumstances

hi Stem
some firewalls claim that
but from my limited knowledge , i don't know if this is true in real time protection
moreover , i never experienced such special type of denial of service attacks
as it is directed more towards servers and websites not for the normal home user

 

V3 is available to the public, so I regard V2 is irrelevant when talking of the features. My wish would be that they didn't start to play those silly games with ARP spoofing. The main problem with ARP is ARP protocol itself, absolutely non-secure protocol, so any "anti-ARP" solution is just workaround by definition. And I think workaround is nothing more than blind alley and PR. The only right way I see to fight ARP is a proper network architecture and proper network hardware. When I had had this problem once I did not look for a firewall, I just complained to my provider and the problem was solved once and forever.

 

and my comment is :

we were talking about v2.0
as shown in stem comment
also version 2.0 which has no arp filtering had problems with it

in ur 1st comment u said :

having problems with arp filtering does NOT mean that it has some arp filtering as evidenced by OA v2.0 which has no arp filtering

u concluded that OA has arp filtering just coz it has problems with it

stem mentioned OA V2.0 in his comment that i quote , so we were talking about OA 2.0 final not the beta version

what makes u sure that OA has arp filtering and antispoofing properties ? while it lacks the basic arp filtering and 3 way handshake ,
is this just coz it caused some arp problems ?

how can u say that ? are u one of the OA developing team ?

in the same extent as others do ?!
u always in many threads deny the ability of any software firewall ( having arp filtering ) to have actual antispoofing functionality
then now , with OA which even lacks basic check on the initial connection (3 way handshake) , u claim that it helps against spoofing like others (which have actual arp filtering with the basic 3 way handshake )

r u joking ?
or may be we are confronted here with a case of an OA fanboy

anyway neither OA 2.0 final nor 3.0 beta has any classical arp filtering

 

I disagree, as not all users will install a beta.

It is down to the vendor on what they add,.. but whatever they do add sould be implimented correctly.

Well, simply looking at problems or possible problems from your own setup is a little shortsighted for an open discussion. My own ISP is quite good and I see no problems with attempts at ARP spoofing, DOS attempts etc, but does that mean I should not look into such possible problems?
Maybe that is the attitude of most vendors, that such problems are down to the ISP and they should have no need to put in place certain filtering, it would certainly be a bad attitude if that is how they look at possible problems from my point of view.

- Stem

 

I'm not talking about V2 because it was long time sgo I used it last time. I just do not remember its details.

No, I'm just beta-teamer who communicate sometimes with Mike on that or other questions. Fortunately, Mike is open enough to listen and to respond to such communications

What did make me think OA has ARP stuff ? This is plain simple. For one Mike said their team played with this and took some steps to help user, for two this can be seen in the logs with "log all events" enabled". I can't post those logs right now because those tests need a time and network resources I have only in my office, but if you insist I can run them next week.

No, I install FW in question to the VM, ask my admin to turn on the logging for this machine, start netcut and see the logs and results. No one FW that declared this kind of protection was able to protect computer in question fully. And yes, with protection it could do something while w/o it could do nothing. But it seems you are joking not even putting here any kind of logs, just repeating vendors claims.

 

Just to clear up some points.

OA V2 does have mac filtering, which does include anti-spoofing (certainly for the gateway), this I recently checked due to another question.

This is one of the log entries made when I attempted ARP spoofing of the gateway (OA v2)




Most firewall are simply based on allowing replies from an IP (+ ports) being connected to, OA does that using a state table.

- Stem

 

does windows xp built in firewall has the arp blocking or dos attack type?
thanks in advance

 

No, only TCP/UDP SPI + ICMP.

 

No, there is no ARP filtering within the XP firewall.

Some protection can be made against some forms of DOS, but do require some caution as they require registry changes. There are tools that will make these changes such as Hardenit,.. but again, caution is needed as to what settings you change/make.


- Stem

 

what about locking down system denniying changes to changes the registry?
i have lock down my pc to denny persistant changes to my system
does this help?thanks in advance.

 

I don't know. But won't it be better to add a user-side router to guard against such floods ??
For example: I have RIPv2 and Firewall enabled on my router. Hence DOS attack is very hard if not impossible.

 

I can't say for you, but I can surely say that I do not need such protection. I only had a single DOS issue for a very long time which was solved pretty fast by administrative means. I'm concerned much more about outbound, because I experiensed those attacks more often and they cannot be solved administratively. After all the most DOS attack can do is just temporary network disfunction, while private info leaked through outbound is lost forever and sometimes it costs money. And if I really cared about inbound I'd installed some good HW firewall in the first place.

 

My mention of using Hardenit is to help prevent some possible DOS attempts, (if they are wanted by the user)
Registry protection is certainly a good form of system protection, but simply protected an unchanged registry (not hardened) will in itself not protect from DOS.

 

I really have no interest if you personally need the protection or not,.. nor if it is protection I need, that was the point of the post you have just replied to.

I have never had any outbound attempt I was not expecting, so I do not need a firewall to have leak prevention,.. does that then mean I should take no interest and not check such functions in a firewall and possibly ask for improvement in areas that could be laking?

 

You are right. Unfortunately, this thread went to a general discussion as long as there was not clear evidence DoS attack really took place.

 

OK. I have finally managed to run a test. First I installed Outpost, Comodo and OA to the three different VMs, started netcut on the forth VM and made it attack the three computers. Outcome was completely equal. Networking went very slow, browsing produced a lot of errors, ICQ periodically lost connection. Then I setup gateway for a fixed arp-table. All the three computers with all the three firewalls felt much better. For 10 minutes no one lost ICQ connection, browsing was normal. It was out of my interest to study the other two FW logs, but OA log clearly showed rejected spoofed packets.