Was my router's inbound protection bypassed?

Discussion in 'other firewalls' started by CoolWebSearch, Jun 4, 2009.

Thread Status:
Not open for further replies.
  1. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,211
    Hello, everybody.
    I need some help about the router, I'm not 100% sure if my router's inbound protection was bypassed.
    There are several cases:

    1) The last time I asked what to do in order to completely disable router's protection like it's not even there I've been answered to go to DMZ and type the IP address of my LAN.
    I did that.
    I also disabled firewall and SPI in router.
    I tested this on Outpost Pro and Comodo Pro.
    Comodo blocked in 30 minutes about 119 intrusions. Outpost's log in 20 minutes reported about 100 of them (always from the same IP)

    However, when I tried to disable DMZ and turned on firewall and SPI in router Comodo/Outpost were the ones who were blocking the same IP address that was trying to get into my computer, even though DMZ was disabled and firewall and SPI in the router were enabled.
    I guess he/she remembered my LAN's IP address in DMZ...
    But still it worries me that I will never be completely safe with router's inbound protection.

    2) Second case: Ok, this is the time when I use combination of router's and Windows XP firewall's inbound protection:
    A very few things worrried me:

    Here is the Windows XP firewall's log:
    date time action protocol src-ip dst-ip src-port dst-port

    2009-06-03 19:25:29 DROP TCP 76.76.23.105 192.168.2.25 80 1182 1462 A 2465066380 2016553108 11792 - - - RECEIVE
    2009-06-03 19:25:29 DROP TCP 76.76.23.105 192.168.2.25 80 1182 274 AP 2465067802 2016553108 11792 - - - RECEIVE
    2009-06-03 19:25:29 OPEN TCP 192.168.2.25 91.202.65.140 1191 80

    2009-06-03 19:25:29 DROP TCP 76.76.23.105 192.168.2.25 80 1184 40 FA 2467709894 4021008315 8576 - - - RECEIVE
    2009-06-03 19:25:29 DROP TCP 76.76.23.105 192.168.2.25 80 1182 40 FA 2465068036 2016553109 11792 - - - RECEIVE
    2009-06-03 19:25:29 DROP TCP 76.76.23.105 192.168.2.25 80 1185 40 FA 2481374014 3110694165 7504 - - - RECEIVE
    2009-06-03 19:25:29 DROP TCP 76.76.23.105 192.168.2.25 80 1186 44 SA 2474428359 3762131640 5840 - - - RECEIVE

    2009-06-03 19:25:33 DROP TCP 76.76.23.105 192.168.2.25 80 1186 44 SA 2474428359 3762131640 5840 - - - RECEIVE
    2009-06-03 19:25:39 DROP TCP 76.76.23.105 192.168.2.25 80 1186 44 SA 2474428359 3762131640 5840 - - - RECEIVE


    2009-06-03 19:27:25 CLOSE TCP 192.168.2.25 217.72.76.121 1177 80
    2009-06-03 19:27:26 CLOSE UDP 192.168.2.25 85.114.32.7 1041 53
    2009-06-03 19:27:26 CLOSE TCP 192.168.2.25 91.202.65.146 1159 80

    2009-06-03 19:27:26 CLOSE TCP 192.168.2.25 91.202.65.146 1160 80

    So what worries me here: It worries me that "Drop TCP and Close TCP" thing.
    Isn't router simply enough to block all inbound attacks without the help of Windows XP firewall?

    That Drop TCP especially from the IP 76.76.23.105, who was somehow able to get through the router's inbound protection even though both firewall and SPI were both enabled?
    If I did not have Windows XP firewall enabled I would be hacked!
    Right or wrong?

    So, my question, after giving you these examples should I go back to software firewall's inbound protection (with DMZ and lAN's IP address enabled)?

    Thanks to all help I can get.

    One more thing do I really need a HIPS in my computer if I have disabled auto-run?
    Basically I have disable any possibility for malware to run, so why would I need HIPS with firewall?
    Sure I could use Comodo and it's Defense+ or Outpost's Host protection, but the problem is why do I need them if malware can't run on USB, CD, DVD, HDD or any other portable media, since I disabled auto-run?
    Thanks for your help.
     
  2. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,211
    Hello, everybody, once again, I just searched through the IPs that were dropped by my Windows XP firewall:
    209.62.45.43: www.ipillion.com this is a website where you can identify where attacker comes from, but why is TCP blocked by Windows XP firewall, it doesn't make any sense?

    209.85.135.100: this is www.google.com it doesn't make any sense why would Windows XP firewall block TCP from www.google.com it doesn't oppose any real danger!

    76.76.23.105 another competely harmless website about APACHE server, I just don't understand!
     
  3. 12fw

    12fw Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    111
    Location:
    Canada
    Ignore the Drops.
    Happens all the time and not a threat.
    Other software firewalls would make a big deal of the dropped connections to show how well they protect.
    But happens all the time and nothing unusual.
    I skipped the logging of the dropped connections in windows xp firewall and just stick to the logging of the regular established connections.

    Close I think means the connection is now closed or finished and Open means the connection is established.

    12fw
     
  4. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    This looks like some outbound connection was closed locally, but remote didn't realize it yet and continues sending the packets. Windows firewall drops the packets because a connection is already closed, router passes the packets because it cannot know that a connection is already dropped by a system. This is quite common situation.
     
  5. 12fw

    12fw Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    111
    Location:
    Canada
    Nice explaination alex_s.

    12fw
     
  6. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    To the OP: I understand you're not sure if your router's 'firewall' is running properly ?

    Try resetting your router (and configure it again afterwards).
     
  7. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    Not expert in these matters at all, but here's what I've learned watching this site and few other sources:
    Autoruns isn't the only way scumware can get you.
    Let's say they hijack your browser or some Windows process to do something while you're using IE or Outlook or whatever might use any browser.
    And those hijackers can look as good as your windows MS files to the firewall.
    I think that's of concern why you need HIPS. But HIPS doesn't have to be in the firewall at all.
    A good,dedicated, HIPS application will see the hijacking and alert you "userinit.exe wants to run xyz.exe and out to trojansForSale.com" type of thing.
     
  8. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,211
    But as far as I know, you would be asked if "scum.exe" wants to to install?
    It happened to me quite a few times, basically it asked Setup.exe wants to install, of course I clicked no.
    HIPS, as far as I know, will not alert you, if Setup.exe wants to install, right?
    It will alert you only when Setup.exe is already installed on your computer and than it continues to work its malicious work?
     
  9. 12fw

    12fw Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    111
    Location:
    Canada
    Should stop new unwanted installs and any 'unusual' or new activity by any previous known process or file (installed or otherwise).
     

    Attached Files:

  10. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,211
    I'm sure in Computer Management of my Windows XP Pro you could also control processes who want to run on your computer and stop potential danger, so really, I don't know why would I need HIPS than?
    And where in computer management I can enable this option?

    But what about exploits, I don't think HIPS can stop that, it's interesting for just how long I have a router I was never a victim of an exploit. Maybe router's protection is just that good...?
     
  11. 12fw

    12fw Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    111
    Location:
    Canada
    I think you are thinking of files shared in the computer management.
    Perhaps you are actually thinking of the limited user account privileges to limit installs and changes to the operating system?
    This often ignored feature of the windows operating system by itself does act as limited form of HIPs.

    HIPs such as SSM can stop exploits - rootkits, trojans, spyware, keyloggers, etc.
    And it is very useful for additional protection along side of the regular active antivirus.
    The antivirus relies solely on definitions based information, so it could miss some malware, whereas the HIPS works with just whitelist and blacklisting of files and registry and services and so forth and therby has a more exacting control.
    There are many other examples of other types of HIPS mentioned and discussed on this particular forum to be examined at your leisure.

    One of the pluses of some HIPS is a network control for applications/files - access can be denied or allowed and as to where.
    A nice addition to the regular software firewall for extra security or a simple compliment for the XP's own software firewall that does not control outbound connections.

    As far as inbound network control is concerned, this is not the job of the HIPs. HIPS do not filter the packets.
    Inbound control is under the realm of the router and the inbound software firewall - even the XP firewall provides adequate inbound packet filtering.
     
Thread Status:
Not open for further replies.