firewalls protecting against DOS attacks

Discussion in 'other firewalls' started by hany3, Jan 4, 2008.

Thread Status:
Not open for further replies.
  1. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    DOS attacks or denial of service attacks is a large group of attacks with many subtypes
    this type of attacks relies on the arp spoofing and simply it does not aim at
    actual hacking but its target is to cut the internet service temporarily from the victim's computer "like netcut"

    and as i used many firewalls , i alway consider 2 important criteria in the firewall before i pay for it

    1st powerful leak testing protection
    2nd protection against DOS attacks and flood attacks

    and i was surprised that only few firewalls implement DOS protection like

    1-outpost firewall
    2-comodo firewall
    3-lavasoft firewall "same outpost engine"
    4-jetico firewall "in the recent versions only
    may be also look'n stop

    the leaders in DOS attack protection were outpost & lavasoft
    but u know how buggy the outpost is
    for example inside the local network
    any one was trying to use the netcut or arp spoofer
    the outpost popup states that some one with the following ip address and MAC address is enumerating users on the local network
    or is trying to declares itself as a gateway
    and it was efficiently protecting against these kinds of DOS attacks

    outpost not only detects the user on the local network who already cut the service using netcut
    but also it efficiently detects the user who is just opening the netcut on his pc and enumerating other users on the local network without trying to cut the service

    http://img72.imageshack.us/img72/1008/93060053qx2.jpg

    but other firewalls even the top rated ones don't provide DOS attacks protection like

    1-zone alarm
    2-online armor
    3-black ice
    4-kerio
    5- ect......
     
    Last edited: Jan 4, 2008
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    Hi!
    just a point of clarification... are you talking about external attacks or attacks within a LAN?

    From your description is just within a LAN attacks... whatever protection you apply, if you give freedom of movements to PCs in a LAN there is always a way to cause disruption...

    So, the issue (IMO) is not having a good firewall but to set up properly PCs in a LAN (e.g. limited accounts)

    If you are talking about external attacks, I am afraid that whatever firewall you have they can disrupt your connection depending on the volume of flooding you get.

    ARP poisoning and similar issues were already discussed extensively here... just use the search function.

    Cheers,
    Fax
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    In many setups, that is not possible. There are many on shared untrusted LAN`s, such as at college, or even as myself (and many others), on an ISP LAN.
     
  4. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I believe 8Signs has DOS protection.
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi hany3, Welcome to Wilders,
    The default settings within outpost do need to be changed to make such interceptions (as I mentioned here)

    Outpost will see a node that is making many requests, as this is a sign of scanning, therefore scanning is a possibility for an attack. But as I have mentioned (on the above linked post), the actual gateway could also be seen as scanning, so caution is needed, as the gateway could be blocked.
     
  6. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    :blink: You mean you have colleagues doing DOS to your machine? :D

    Fax
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Diver,
    There are many forms of "DOS", some can be prevented simply by hardening the OS.

    Such as a DOS attack against your bandwidth (where a sustained attack from inbound packets is made), then there is no (on host) protection from that. We see reports on such attacks where servers are down for hours/ days
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    LOL, No, I mean what I posted.:p
     
  9. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    Yep, sorry for the bad joke :cool:

    Fax
     
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I think the bad joke is how software firewalls take more time with leak prevention than packet filtering.
     
  11. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    Leak prevention is more 'sexy' and sells more than packet filtering
    By the way, what is this 'packet filtering' :p :D

    Fax
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    A few firewall vendors probably ask that :ninja:
     
  13. wat0114

    wat0114 Guest

    Or have been asked and don't respond to the question ;) :ninja:
     
  14. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Hardware Firewall Routers are hardly expensive these days and they all seem to say they have DOS protection on the box. Is there a reason why some still stay with a basic modem ?
     
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    It is for me a question of what DOS protection is in place.
    Please show me a firewall vendor that shows DOS protection, then we need to look for the "Type" of DOS protected from. We can then debate this.
     
  16. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    You might be able to debate this but I have no idea what it all means. Today I saw a Router Firewall made by Buffalo which made reference to DOS on the box.
    I use an old Netgear DG834 and the help files say things like
    "With SPI, the router looks at individual packets for patterns similar to known hacker techniques, such as Denial of Service ( DoS ) attacks......" Is this all BS or do these boxes provide any protection ? As a home user am I likely to be attacked ?
     
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Sorry, maybe "Debate" was incorrect for me to say. I should of said, I will try to explain these with open discussion.

    Basically they will attempt to put forward that unsolicited, or simple spoofed packets are dropped. Yes, these can be used to DOS, but the protection I see is very basic and is only protection from such as scans (which most software firewalls will do) with possible follow up (see below)
    To say it is BS would be incorrect without them actually putting forward full disclosure of the protection they have in place against a shown attack.
    Very unlikely, the only possibility is if you use server software, as this can cause attention.

    Do be aware, that DOS attacks againt home users are made against open ports(Application layer), as these are actually made against the way the OS processes these.
    If you are simply running with all ports closed(or stealthed) then such bypass is very rare, as the only attack possibility is against the ports used while you are online, and a good packet filter firewall will protect from the spoofed/bad/malformed inbound on these ports.

    NOTE: I am only looking at Application layer on this reply
     
  18. wat0114

    wat0114 Guest

    Apparently there is a difference between "home router" SPI protection and "commercial router" SPI protetcion, with the commercial router incorporating much better SPI. I don't know but it would not surprise me. After all, you usually get what you pay for. Is too much, perhaps, being expected from cheap home routers or basic pc firewalls?
     
  19. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    @Stem

    What sort of OS hardening did you have in mind for protecting against DOS? How would you do these things on XP or 2003?
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Have a look at Harden-it

    http://www.sniff-em.com/hardenit.shtml
     
  21. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Stem - thanks - very interesting. If there is a "better" hardware Firewall that, as a home user (no site, no server software), I could buy I would be interested in doing so. Any software solutions would have to have no or minimal performance impact for me to be interested. For nearly a year now I have operated with nothing but the Netgear - ie no software firewall, no av real time, no as realtime, no hips and so on. I made these changes following 11 years of trying almost every program that came a long. For the first 10 years or so I thought these programs were protecting me in so mysterious way but eventually realized that although they were very good false positive collectors no one seemed to be attacking me nor sending me spyware viruses etc.

    Every so often I install an on demand program to check and find nothing. If there is a favorite program that anyone recommends I will be happy to check.

    Anyway my only real concern had been how good is the firewall - but after a year on nothing I'm starting to think that my sort of user is of no interest to the bad boys ?
     
  22. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    hii all my friends in the forum
    thanx for your valuable replies
    i appreciate all of them
    so i am a member of many security forums
    but i finally decided to join this famous forum

    {snip - let's leave the discussion of activity of other forums at those other forums, no need to raise it here - Blue}

    any way , back to dos attacks


    1- i think many users are liable to dos attacks
    me , as a member of a commercial wireless network
    i am always subjected to that kind of attacks from other users within the wireless lan
    and i think it is wonderfull job of the firewall to know the ip address and the mac address of the computer that is trying to cut the net from my pc ,even if it couldn't protect me from such denial of service attacks

    2- sure the outpost and lavasoft should be configured to be able to detect users who are just enumerating other lan hosts , can't be done on default configuration

    3- sometimes the respond of the firewall "outpost" to such dos attacks is to block the intruder as well as the original gateway , so finally the firewall protect the victim's pc from spoofing by blocking the gateway which result in actual cutting of the net service so it protect cutting the net bu cutting the net

    the main difference is not the the attacker who cut the net
    but it's the firewall itself
    but same result u will get


    4-many of the current firewalls don't protect against dos attacks , and it's so strange . they are interesting in leak protection and leave a security hole like this
    foe example i did a thread in online armor forum requisting such feature



    by the way i'm a member in outpost , lavasoft , comodo , online armor and many other rirewall forums
    under the same name


    thanks all
    cheers


    Dr. Hany Samir
     
    Last edited: Jan 5, 2008
  23. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Long View,
    If your setup is working for you, then there is really no need to change it.
     
  24. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    It does depend on if the attacks are successful.
    Do you place a static ARP entry into the cache for the gateway?
     
  25. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    yes somtimes it's successful
    although i enter a static gateway in the lan settings
    i make my gateway static not a dynamic one to protect it from being falely changed by another user using the netcut , winarp spoofer , switch sniffer or any other spoofing software
     
Loading...
Thread Status:
Not open for further replies.