Change IP address to fix DoS, buffer overflow attack?

Discussion in 'other firewalls' started by R2D2, Dec 22, 2005.

Thread Status:
Not open for further replies.
  1. R2D2

    R2D2 Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    70
    Location:
    Tatooine
    Is it really effective to change your IP address from one that has been attacked with a DoS or buffer overflow?

    I did read about it in an article. If I find it again, I'll post it here.

    Jeff
     
  2. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    do you have a static IP address? you can check your IP by typing Start>Run>cmd, OK>ipconfig if you restart your connection, if you have a dhcp it will change.

    if you have a server it wont make any difference if you change the address because people will get it when they visit the site.

    i don't think people are attacked out of the blue.
     
  3. R2D2

    R2D2 Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    70
    Location:
    Tatooine
    Hi iceni60,

    Yes, it's just a static IP, not a server. I should've included that info.

    I'm connected to a Linksys router w/NAT. I guess my IP is hidden from the outside anyways because my ZoneAlarm firewall isn't showing portscan hits in its log.

    Jeff
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    If your IP is static and you were subjected DoS, then you might want to contact your ISP for support and look into getting it changed. DoS attacks are not something most home users not running any services usually have to worry about.

    Buffer overflows are usually something that is exploited in a vulnerable application/service. Again unless you are running a service which is vulnerable and is exposed to the Internet, changing your IP is not going to help. The overflow/application/service would need to be fixed.

    Systems behind the router will have private non-routable IP addresses and are not exposed to the Internet unless you forward any services/ports. The router's outside interface will have your public IP that the Internet sees and will handle all unsolicited inbound traffic which is why your ZA logs are not seeing these.

    Regards,

    CrazyM
     
  5. R2D2

    R2D2 Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    70
    Location:
    Tatooine
    Thanks CrazyM!

    That useful info cleared things up for me!
    Now I understand what's going on.

    I was assuming a DoS attack during my web browsing activity about a couple of weeks ago because for some reason, I couldn't get access to specific websites and my Yahoo email. This went on for about a week until I decided to wipeout/reformat my hard drive after unsuccessful detection with malware scans :( , then reinstalled my backups - PC works smooth now. :cool:

    But I wonder, what could've prevented my access to those websites?

    Jeff
     
  6. Arup

    Arup Guest

    CrazyM,

    How about P2P where giving inbound rights to certain ports is the rule? Do you think there is a chance to get a buffer overflow DDoS attack there?
     
  7. isnogood

    isnogood Registered Member

    Joined:
    Sep 22, 2004
    Posts:
    83
    Location:
    France
    Hi Arup,

    it depends on who is listening behind the forwarded ports. If there's no service/application important for your security, I'd say the chances of a succesful attack are practically nonexistent. Supposing it's only P2P client using these ports, the attacker will gain nothing if it stops or hang such an application. Even compromised, it has no functionality that could be exploited to reach your system.

    isnogood
     
  8. R2D2

    R2D2 Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    70
    Location:
    Tatooine
    I do use P2P sometimes and ZoneAlarm blocks a lot of incoming hits. I have ZA set at stealth mode which is supposed to hide my computer from hackers, but appearantly it doesn't work (maybe just not by using P2P) and I don't believe any firewall can actually do that.

    Jeff
     
  9. Arup

    Arup Guest

    Isnogood, thanks for the reply.

    When you use P2P, you are giving inbound rights to the particular P2P client so in a way, you are out in the open to others on the P2P network but then the IP filter is supposed to filter out the badies.
     
  10. isnogood

    isnogood Registered Member

    Joined:
    Sep 22, 2004
    Posts:
    83
    Location:
    France
    Yes, exactly. You should only open "safe" ports, ie. those used only by P2P. Exclude any other application ports, and don't ever open ports < 1024 ! :p. You'd better have a good SPI/IP filtering, because when you have hundreds of connections open, everybody knows you are there even if your firewall is stealth. So you may be subject to a lot of scans (just to check out if there are any other open ports with some services listening :)

    R2D2: that's why you see many port scans while using P2P.

    isnogood
     
  11. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for that link, CrazyM. Very informative article.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  13. Arup

    Arup Guest

    The protection method decscribed in this paper can all be implemented by Harden IT, most of them.
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    One reason I didn't try HardenIT is that their site doesn't show what the Registry changes are, and I don't make Registry changes without seeing them first.

    Even at that, it's confusing. The article referenced in CrazyM's post mentions that Microsoft recommends:

    hkey_local_machine \system \currentcontrolset \services
    \tcpip \parameters \synattackprotect=1 REG_DWORD

    Yet the Win2000 Hardening Guide recommends

    SynAttackProtect REG_DWORD 2

    Other sources recommend DWORD=1 so that you can add advanced parameters, yet the Win2000 guide lists the same advanced parameters with SynAttackProtect DWORD=2:

    TcpMaxConnectResponseRetransmissions REG_DWORD 2
    TcpMaxConnectRetransmissions REG_DWORD 3
    TcpMaxDataRetransmissions REG_DWORD 3
    TCPMaxPortsExhausted REG_DWORD 5

    and these values are different in other documents which purport to quote Microsoft. One writer traced a list of values back to an article dealing with Server 2003 .

    Some writers say all of this is more applicable to networks than for home use. In fact, the Win2000 Hardening guide states:

    "Denial of service attacks are network attacks aimed at making a computer or a particular service on a computer unavailable to network users."

    So it's all confusing for the home user.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  15. Arup

    Arup Guest

    When you apply Harden IT, every setting is described in detail, if you want more, there is a tab where you can get even more details, this is one of the best hardening tools out there, use it and you will see why.
     
  16. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Also, Rmus, every change made by Harden-It can be reversed and your original settings will be restored. So there isn't much danger of messing things up. I have used it with success, no troubles. I would shy away from Secure-It on the other hand.
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK - since two experts have recommended it, I'll give it a try.

    But do you disagree with the statement that all of this is more applicable to networks than to a single home user?

    In other words, why all of the fuss!

    Thanks,

    -rich
     
  18. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    It is more applicable to servers with services exposed to the Internet. If you are not running any services, you should not need those changes. Your router/firewall should drop most of this as unsolicited inbound traffic. Do you need to harden your system against a syn flood when it will never see a syn packet?

    Regards,

    CrazyM
     
  19. Arup

    Arup Guest

    Well, many home users do P2P or gaming, in essence, as vulnerable as servers so its a good idea to harden it for extra protection.
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    So, like any other aspect of security, the user needs to evaluate what the risk is.

    That's why I see it's difficult sometimes for CrazyM and others to give a definitive answer to a question when you don't know all of the particulars.

    Good discussion.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  21. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Let's put it this way.. there's nothing about Harden-It that can hurt you.. least not that I know of. And if you're running kerio 2 there with it's frag hole, might just be a good idea to apply it just in case...
     
  22. R2D2

    R2D2 Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    70
    Location:
    Tatooine
Thread Status:
Not open for further replies.