Can I protect myself against network attacks?

I don't think that's the way it crashed the PFW. In a similar attack a while back, I've seen the firewall crash before my eyes, without warning. And I had Kerio configured not to give me any warnings in any of my rules. So it seems that it can crash the driver almost instantly. Let's face it, SP2 firewall sucks; its only good for incoming threats, and even in that regard, I'm not sure how good it is. But as I understand, it loads even before your PFW. So now I intend to employ both the SP2 *and* Kerio (I read that you can do this without incident), in the hopes that if Kerio crashes, SP2 firewall will still protect me.

The message I described above wasn't a warning message, but simply an alert that something has gone wrong; issued I believe by Windows itself, not the PFW. (The firewall engine, as the message is saying, was no longer loaded, so it couldn't have been issued by Kerio). And yes, it was absolutely useless because it wasn't warning me of the threat, it was telling me my firewall was no longer activated. SP2's security center was supposed to 'officially' tell me that my firewall was no longer activated, but as mentioned, it didn't even do that!

This was no 'legitimate knock on the door', though. This was a flat out network attack on my system by Helkern and Lovesan; hundreds of times over from various IP addresses (Which I presume can not be traced to the attacker). Maybe the way the trick works is that the attacks come so rapidly, it overcomes the firewall's ability to intercept it, and causes the driver to crash after a time?

NO, the attack never intruded my system, and I never got any other warnings than the one above about the driver closing. Now if hackers can cause Kerio driver to crash, I'm not so sure they can't cause SP2's dinky firewall to crash either. Don't forget, they can also engage the RPC service and cause the system to reboot (and then load any trojans they manage to list in the startup areas of your registry). This can disable Windows firewall even if its the first thing loaded on the system. I can't find a way to disable the service, which is a huge security risk to me, because Windows won't work without it. But I believe you can change the behavior of having it reboot the system.

I do not have anything like a standard configuration on my computers. I've taken way too many trips to BlackViper for it to remain that way. That means I've disabled every single service that wasn't absolutely needed, particularly the ones that are known security risks (ie. SSDP discovery service). I've also taken trips to SheildsUp!, where every single one of those blocks on the all ports scan was green, indicating ALL my ports are stealthed and hidden from net probes. My Kerio shows when loaded that nothing but Kerio is listening to the net. I also have a drumtight top level ruleset courtesy of Spongebob, the malware guru (including a rule at the end which blocks everything the other rules didn't). Despite all these precautions, hackers still managed to disable my firewall like it wasn't there, and flood my system with network attacks, or trojans. (For the trojans, all I have to do is be on the wrong site at the wrong time and BAM! It's been downloaded to my system via the http port 80, which I *can't* close if I have any plans of using the internet. Then the next thing I know, the programs are loaded in my registry and starting up on the next boot, and then sending out data.

No, dude. There was only one warning message on behalf of the firewall (the others were from KAV and one from GIANT antispyware). Secondly, there could have been a million messages, but they don't obscure the system tray, which is where the SP2 balloon *should* have appeared! Do you want to KNOW the actual reason why it didn't appear? I'll tell you. When I checked the center at the time, it said the firewall was on, despite the fact that Kerio's blue shield no longer showed in the system tray. So the truth is, SP2's so-called security center is useless; it totally failed me. THe whole SP2 pack hardly seems worth the extra 200-250MB of space it gobbles up on your drive. Unless you're into false senses of security...

Kaspersky didn't crash, and that's what saved my butt. My system was open and accessible insofar as the firewall was concerned, but Kaspersky is so darn good, it can block and warn of network attacks, trojans and the traditional viruses. (I somehow think Norton would have happily ignored all of this! If anyone knows for a fact whether Norton protects you against network attacks like Helkern, Lovesan or TCP Syn Flood attacks, please inform me if I'm wrong).

File sharing was disabled on this PC. SP2 is now enabled, along with Kerio. I never used netstat though, and its interesting, but where can I go to get information to find out what these lines refer to, and whether I need or don't need them? I see lines saying these services (that I am not familiar with) are listening in: epmap, netbios-ssn, microsoft-ds, etc., and what appear to be port numbers. But I have no idea what should or can shutdown here, and how to do it.

Here's what I plan to do so far: get a router that has NAT firewall capability (like the LinkSys Etherfast), turn on SP2 firewall, return Kerio back to service (despite its ability to crash when a network attack bullies it, I know of no software firewall that's any better than it. If anyone knows of a firewall that is more likely to withstand these types of crashes, please let me know, and I'll try it out!). Also, disable RPC from rebooting, and whatever other holes I can plug up to strengthen my security. What I'd like to know, as mentioned in the title of my post, is after all this, will I finally be protected from the Helkern, Lovesan and TCP Syn Flood type attacks, or is there nothing I can do to have bulletproof network security on a home computer?!

I guess that was one purpose of the attack. And that's one more reason why PFW often do such a bad job: they warn users of things of many useless "threats". And if there are too many "attacks" causing too many warning in the PFW it may cause the PFW to crash. This would not have had happened if you just used the SP2 firewall which does not warn you of those "attacks".

Why the quotes for "attacks"? If you connect to the internet you have an IP address. Anyone can try to connect to this IP address, can send packets there, do a ping or whatever. There is nothing you can do about it. This is just like a door: you cannot prevent people from knocking on the door or trying to use the handle to open it. Having said that, it should become clear that those "warning" messages you describe are absolutely useless: if the door is properly closed nothing can happen. A firewall is there to close the door and it must not crash if someone just does a legitimate "knock" on the door. In fact, the most useless messages of PFW are those reporting "attacks" against ports that you don't even use, no server is running on that port: it "protected" you against a threat for which you are not vulnerable.

The SP2 firewall does a perfect job in closing all the open doors on your system (if you configure no exceptions). It does not produce useless "warnings" it just drops when someone tries to open a door which Windows left open. No big overhead. No big crashes. Just reliable work which does what it is supposed to do. Your PFW on the contrary gave the attacker the real ability to do something: to annoy you with warnings, that kept you from working, eventually crashed the PFW and maybe even after that allowed him to intrude your system.

You can even go further, if you like: all those "open doors" that Windows has are services running on your computer in the standard configuration. Take the file sharing stuff: basically the services are running, providing the services on ports. If you don't configure the services properly or just shut them down people from the internet may connect to it and - as we have seen in the past - exploit bugs to intrude a system. You can actually configure a XP system that is does not open an ports on your system. There are descriptions out there that show you how. If you shutdown all services that listen to the internet, closing all the ports, there is nothing for the attacker in the internet left except the IP implementation itself which should - let's hope - be free of major bugs. A system not offering incoming internet connections to your computer does not even need a firewall: there is nothing to attack because the IP stack simply discards any connection attempt to your computer just the way it is supposed to do. (and again, no need to warn you about a perfectly normal behaviour).

Well, maybe you did not see it between all those warning messages until it crashed.

It blocked them until it crashed I suppose. After that your system may have been open and accessible depending on what exactly crashed and what was still up and running...

Turn on the SP2 firewall. Don't allow exceptions. That should give you a quite time until they give up. Try to figure out what service they attack (I would say the file sharing but it is hard to tell without more details). If you don't need file sharing, disable it and shut down the services associated with it (set them to disabled). Check you configuration with "netstat -a" in a command prompt window. Every line with listening and every line with a UDP service is listening on the network. A FW blocks traffic to these services but it would certainly more efficient to shutdown the services which you don't need anyway.

A hardware firewall does protect you as well. It does not offer "services" to the internet connection. It relays your outgoing traffic into the internet and just accepts replies to this. Anybody scanning your system would then see the situation as mentioned above with the turned on SP2 FW or when all services are shutdown. (again, the SP2 FW should give you pretty much the same as neither the SP2 FW nor the hardware firewall send you any pop-ups or strange warnings) The hardware firewall would become essential in my opinion if you would run a local network with two computers that share files with file sharing. Then you need the file sharing service and it gets a little bit tricky to properly configure your XP (although even that is not impossible) with internet connection sharing and file sharing to a local network.

Gerald

I consider the SP2 PFW "half a firewall", and many I've read say it can peacefully coexist with a PFW. WE'll see!

No, its the opposite. I got a message from KAV telling me nothing happened because it suppressed the attack. The system was *attacked* but it wasn't *successfully* attacked. Whether you want to say it was "intruded" is a question of semantics. And in case you think KAV might be lying to me, I know it wasn't successfully attacked, simply because there are effects from the attack; no trojans sending data out or listening in, and no virus or trojans from a system scan via KAV. I didn't say "nothing happened" either. After all, the attacks did manage to disable my firewall...

I told you I disabled every service I could disable and still keep my system running, but I'm not sure if RPC is listening. I see some LSASS, SYSTEM and SERVICE names listening in, according to KPFW. But according to Sheild's Up, ALL of my ports are stealthed. So from the point of view of someone on the outside pinging me for open ports, isn't that the same as having the RPC service not listening?

No, you don't get it. It's not because I have the malware already running, it's because it's coming through on port 80, which I need open to surf the net. THe firewall doesn't stop it from coming in simply because I haven't configured it to block port 80 (or any of the other browser ports that I need to remain open), and once it came in, well it didn't stop it from sending data out, simply because the firewall was no longer active at this point.

Stupid question: why do I need SP2's Security Center if my firewall is capable of telling SC whether it is active or not? Do you see where I'm going here? Instead of relaying the information to SC and have SC relay it back to me, the firewall can simply tell me directly whether it is or isn't active, and then I wouldn't need to use up resources running SC. Therefore, as you explain it, Security Center is even more useless than I first mentioned.

I assumed, like a lot of people I imagine, it was the job of SC to monitor the firewall to check if it is active. But you're saying its up to the firewall to tell SC when it isn't active. But how does it possible to do this if the program isn't active?

That's pretty simple, I can imagine a number of ways it could be done. Starting with the fact that Windows can monitor what services are or aren't active in memory, and know what has been taken out of memory (example, if you try to delete certain system processes in task manager, you'll get a warning telling you you can't do that). The SPF system can even monitor what files you're trying to delete off the hard drive. It's Windows job to know what programs are loaded in memory, and to manage them. Ergo, it can know what is no longer active either by the address space used, or by any number of other markers.

Microsoft claims Security Center can warn you if your firewall is no longer working, and I never saw them say any caveats to the contrary, so long as your software has been established to work with SC. Most people who install SC have the expectation of it protecting them if they're firewall goes south, which is what it is designed to do. Why would you think they would have any other expectation?

I'm sorry, but the fact that task manager showed Kerio was no longer in memory pretty much said the absence of the status tray icon was not a coincidence. The PFW software didn't tell SC anything, since it was no longer active. This is where SC SHOULD have been having bells go off. Remember, under normal circumstances, when I turn off the firewall, SC DOES pop up an alert. Under a network attack, according to my experiences, SC packs up its bags and dives under the bed, and shuts up until the intruder leaves.

Believe me, I would love to eliminate those remaining services, whatever the heck they are (mostly hidden under the names "SVCHOST" or "SYSTEM"), that insist on listening to the net. But that would bring my system to a crashing halt, and things would be breaking all over the place. That's why I have a firewall, so that while they may be listening in, outside forces should not be able to hear them. But it seems there are still some ways intruders can succeed at causing harm, and it those that have to be looked at. So far, the vulnerabilities are trojans coming in on port 80, and direct network attacks that flood my system and crash the PFW, straight from the net.

No, I did not have file sharing on. As mentioned, long before I got hit, I disabled things in my XP Pro system that even Bill Gates doesn't know about. This was not and never was a networked system, so I had no reason to even have file sharing on. I already mentioned what KAV detected: the network attacks of Helkern, Lovesan and TCP Syn Flood. I was not already infected either, I had done a recent scan. And as mentioned, I never got infected by anything even after the attack.

Thanks for this, I had never heard of tasklist or rpccfg.

What's the point of that, if you are cutting yourself off from being able to use your PC?

I don't live a risky life! I'm not asking for problems. Rather, I've already done more than most to try to protect myself from net threats. I simply have a simple non-networked home computer system with a high speed modem, like many others. I simply want to be able to use it, without fear that I'll be hit by a net-based attack of some sort, when I'm away from it or on it. What's the point of accessing the net if you can't be safe, no matter what you do?

I'm curious to know whether these attacks are from a random intruder trying to crash my system, or a hacker scanning a wide range of systems to do this. I dont' know if you're aware of this, but the network attacks I received are becoming the scourge of the internet, according to what I read. DOS is the new major threat on the horizon that could really cause widespread destruction, for which there currently is no cureall solution for. Best you can do is slow it down, but not stop the threat.

Two firewalls are generally a very bad idea, because they can interfere with each other ending up in undefined states. If one firewall drops something that the other one needs for SPI you are lost...

Exactly. And the problem is because your PFW does so much more that just packet filtering. It is just too complex. The SP2 firewall is much simpler and therefore more reliable and handles bigger burst traffic without problems.

a) how do you know that the system was never intruded. Didn't you say that your AV did pop-up? That means there was something on the system even if maybe the AV did prevent it from running. You believe nothing happened because you got no message telling you otherwise, which however does not exist anyway.

The SP2 firewall works on a different level, with much less overhead, integrated into the IP stack. It should IMHO not be able to flood it.

They cannot engage the RPC service on my system because the RPC service is not listening to the internet on my computer. Look out for rpccfg from the MS resource kit. It allows you to configure RPC. Again: it is possible to configure Windows in a way that no services are listening to the internet either because they have been shutdown or they have been reconfigured to listen to the loopback only.

That is a very good idea.

Yes, because you have the malware already running on your system. Your outgoing firewall did not help at all here... See?

You don't get it. The security center cannot check the proper status of all and any firewall and antivirus software. It is the responsibilty of the PFW or AV maker to message the current state to the security center. The security center only relays information that it gets from the PFW or AV software. Anything else is not really possible. How should you write a software that definitively and correctly figures out whether software XYZ is correctly running and working? The only one who knows this is the PFW/AV maker because he knows how the whole thing works and when something fails. The security center did not fail on you. It was the PFW software which still reported the PFW up and running while it actually was not. Microsoft cannot invent some misterious algorithm to detected failed PFW... You have the wrong expectations. If your AV software tells the security center it is up and running and up-to-date, the security center won't tell anything else. The existance or absence of a system tray icon does not say anything about the status of the software even if it was an indication for you that it did not work.

A properly configured Windows with no services listening to the internet. You don't even need the SP2 firewall then. The only thing someone can attack then is the IP stack but, well, you can't live without that one if you want to use the internet.

But I still don't get what has happened? What did Kaspersky detect? I suppose you had file sharing listening to the internet and someone attempted to copy something to your hard drive which your AV detected. Else, if you had already something running on your computer which tried to download something, you were already infected and obviously your AV failed already...

O.K. netstat -a -o gives you all the ports with all pids. tasklist /svc gives you the services running on the pids and the exe. (check out the other options of netstat and tasklist and play around a little with it). "sc query" does list you all the services with state and the service name which you find with tasklist /svc. The display name is the one you should recognize from services.msc For RPC you need rpccfg to rebind it as Windows cannot live without RPC.

I know a site in German that describes how to shutdown everything and how to do it. There is even a script that does it automatically for you.

Just to be clear: NAT has nothing to do with firewalls. It is a mapping mechanisms of many IP address to one and relaying packets this way. In a firewall NAT in this sense is actually the opposite of making things more secure as it allows packets coming in from the outside. The mapping between packets from the internet to your internet IP address and the mapping of that packet to your LAN IP address, ie. the computer in the LAN can never (theoretically) be 100% accurate. Early NAT implementations where really bad and could easily be abused to send unwanted traffic into your network. Current ones are much better and more reliable although there is always a chance that someone gets something in.

The firewall is basically between the internet and the NAT. It basically drops all incoming packets that do not belong to an existing conversation that initiated from the inside (except for what you configure into the firewall to let in) In my opinion you won't need the firewall on your computer any more after you install the hardware firewall. No one is able to connect to your RPC service after that because the hardware firewall does not forward packets to the RPC service to your computer...

No. There is no 100% security in life. Never. Ever. The only safe thing is not to connect to the internet, turn the computer off. (or better not buy a computer in the first place...)

First, there is always potential danger because of what you do. If you live a risky life you have to accept the danger. Second, there are always vulnerabilites. Third, there is always a random chance for an intruder, maybe like the one crashing your PFW, just by trying. Fourth, more (quantitative) security is generally not more secure, ie. installing more security products don't necessary improve the situation but get even void each other (wearing ten bulletproof vest are not safer than one if you cannot move anymore with the ten...) Fifth, security is about figuring out what the problems are, what the attacks are that you have to protect against, and solving these problems instead of finding ways how to cover them up.

Gerald

The number of firewalls does not work mathematically. 1+1 may be a dead system ;-). I also think it should be O.K. but I just wanted to point out that it may have unwanted and surprising effects at times...

O.K. Maybe KAV does more than I expect from a AV. Usually AV detect patterns in files therefore I thought if KAV intervenes there must be something there already, even if it is not running and KAV deletes it immediatly from your disk again..

O.K. This is exactly what you do not know. I think this is the case but you don't know. Your security of your system was compromised. The attack did affect your system. You don't know the objective of the attack. It does not take much to craft a backdoor into your system that KAV won't detect because it does not know about it. An exploit in your Kerio may have given the attacker administrator access and first thing after that was to reconfigure your AV and PFW to let the injected code run silently. Maybe something is running on your computer and maybe it is just waiting for a timeframe when the computer is turned on and you are away so you won't notice when all of a sudden something starts sending out e-mails. I don't know what has happened but all what I wrote before is possible, not even difficult to do and may have happened. Did you for example go through the complete configuration of your AV and PFW and checked all settings for example?

In my opinion, the only way to be half way sure that nothing happened would be to run a compare of your complete system against a recent backup and note all the differences. Certainly you should do this booting from a safe utility CD or something. If you know that there is no suspicious file on the system or something suspicious has changed in a system directory, then I think you might say "you know" under certain constraints.

Anyway, let's hope you are right...

Well the big difference is, if the RPC service is listening on the internet interface and someone disables your PFW as has happended to you, all of a sudden the RPC service is available from the internet. This may have been one objective of the attack: to run an RPC exploit after it disabled the firewall. If you have nothing listening to the internet, you would not even need the firewall because no service is listening and the IP stack would just drop packets for any port.

Maybe I don't get it. But there are to completely different things: out-going connections to port 80 and in-coming connections to port 80. A normal firewall would allow access from the inside to the outside port

80 because that is what you need for your browser. In-coming connections don't have be to blocked on port 80 because either you are running a web server and that's a completely different story or you are running no web server, which means nothing is listening on port 80. If you want you can let your PFW block in-coming port 80 but that won't affect your web-browsing.

I think I don't understand what you mean with "coming through on port

80". You cannot mean the remote port 80 because you were attacked and it did not happen while you were browsing. Second, you say "it didn't stop it from sending data out". That would mean again, that you were actually compromised?

The security center is as the named indicates a place that is supposed to collect security relevant information and present them from a single point of view. It is a center which just surveys the status reports from other components. It reminds you if you don't update your virus definitions for a week or so. But it knows that only because it was told from the AV software. It is an attempt to combine security in one place, eventually maybe with only one tray icon with all security relevant information instead of three or so... It is a design decision that you may consider useless but I think it is just supposed to simplify things.

If the program is not active at all there is nothing to communicate with and the SC can detect that. This is possible. Anything else beyond that is a problem of the PFW or AV software. If you can deactivate your firewall with your PFW tray icon how on earth should some other software like the SC know that the PFW is deactivated now? It is just impossible to tell unless the PFW tells the SC. The PFW and AV should be designed in a way that a failure in an important component does in fact signal the SC. But have you ever looked of how many components and services your PFW or AV consists? It is very complex. The SC cannot make assumptions about every possible design to tell if process XY is not running or not responding in time there is a problem...

As I wrote before. You cannot necessarily know which of the processes is actually the critical one. And anyhow, why do you think that a process was terminated when you found out that the firewall was gone? Maybe the process was still running, maybe even responding to windows messages, but it was not active anymore doing its job. Processes may be running and may be in a deadlock waiting for ever. To make a exact decision if something is actually running and working or not requires a lot of insight into the design of the software you want to monitor. Something that SC does not have and that all those PFW and AV makers probably don't want to tell others in details anyway.

Well it warns you, if you turn off the firewall. But as everything else, nothing works 100% reliable. And in this case, much has to do with the PFW maker, which was the reason while PFWs and AVs have to be certified i.e. tested with SP2 to check that it interoperates properly.

Well, I never expected that from the SC and Microsoft does not claim that. Read

where it basically says that they rely on the manufacturer information.

(In a sense, there is again the wrong conclusion in thinking like in the use of the security stuff in the first hand: you see how it works under normal circumstances and that it warns you if you turn your AV off. From that you assume that this will always be the case which however nobody claimed nor can be achieved.)

In this case the Kerio process is probably not the one communicating directly with the SC and there is another component that actually relays the status information of the firewall. Or maybe the exchange protocol is designed badly that it does not change status if it cannot communicate with the other process anymore. My guess would be the first one...

Here again you conclude from "normal" behaviour and expect that this always work the same anytime. The first thing that packed up its bag was the PFW.

Well, you have to identify them and shut them down. If you tell me exactly which services there are, then I might give you the right pointers. You know the commands for that now. The RPC service must run, but can be rebound...

Exactly what the SP2 firewall does.

Well, turn on the SP2 firewall with no exceptions. And please elaborate what you mean with "coming in on port 80" as there are actually two port

80 and I am still not sure which you mean...

O.K. I admit, I have no idea what KAV does exactly. It seems to scan network traffic as well.

Ooops. Sorry. I meant "shutdown everything unnecessary". Shutting down everything would work, too, obviously, but would really be useful in the end... I meant what you tried to do: shutting down all those unnecessary services running on a standard windows installation and thereby in the end closing all the open ports on the internet...

There is no 100% safety and security. Nothing can protect absolutely reliably protect your home from buglars. In the same sense you can do nothing if someone decides to flood your IP address. Your connection is dead until either the attacker gets bored, you do a DHCP renew to get a different IP address (which most ISPs don't do anymore) or you contact your ISP to either assign you a different IP address or block the incoming traffic somewhere on their edge router. There is nothing more possible in this respect. (You cannot prevent someone blocking your phone line by constantly calling you either which some dumb fax machines reportedly do...)

You can influence how likely an attacker is to actually intrude your system. Keep your system up-to-date. The stupidest people in my eyes are always those where the attacked exploited a vulnerability which is long know and long fixed. If you have a machine that is only be used for outgoing stuff as yours is, shutting down all unnecessary server services which windows unfortunately runs by default is a very good idea. As I said it is possible to configure Windows in such way that there is nothing left which listens to the internet. You don't need the SP2 FW nor an PFW then anymore, because the IP stack itself does already block any unwanted incoming traffic and that is the most efficient place to do it. A FW would just add complexity and the efficiency suffers.

If you do that, you have pretty much all the network security that is possible for a simple system which you use for browsing and e-mail. The system security (protection against virus etc.) is then another topic which we could discuss endlessly.

I would say someone scanned for people with Kerio firewalls and focussed on a couple of them hoping that once the Kerio is down it could use another exploit to take over the machine.

No. I don't think it will come that far. But you cannot do much about it like you can do nothing about someone blocking you phone line. These problems must be solved by the ISPs. There is a lot of research in computer science that tries to find the best ways to detect and fight DoS attacks. There are good solutions out there but as always technical progress is much faster where you can make $$$. Adding security does the contrary: it costs. (I always thought at those ancient dial-up times that ISP have no interest in fighting spam mail because they actually make money when you download it to your computer. Now with flat-rate, high-speed it changes...)

The ISP has to trace the attack back to its source and cut the line there. This often requires much communication between different ISPs because the packets cross many ISPs on their way. For a DDoS it gets harder but even then it is not impossible...

But the funny thing in a way is: in all cases the resources used in a DoS or DDoS are infected machines, which have been taken over earlier...

Gerald