Author Topic: Block DDOS Attacks  (Read 20838 times)

Offline shoober420

  • Comodo Family Member
  • ***
  • Posts: 98
Block DDOS Attacks
« on: May 04, 2011, 06:24:09 PM »
Hello,
       I am wondering how i can block DDOS attacks with comodo firewall. I have been threatened before (while playing online games) and lost my internet only for 5 minutes then it came back on. I know theres different types of DDOS attacks and am curious if comodo can stop some of them so i can be protected.

Offline Jacob

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2808
Re: Block DDOS Attacks
« Reply #1 on: May 04, 2011, 06:27:05 PM »
By Default this is enabled in CIS/CFW
It was an option in 3.x and i believe that it was decided to be default in 4.x/5.x


Enable "Do Protocol Analysis " For Extra Protection against DDOS Attacks;
(CIS > Firewall > Firewall Setitngs > Advanced) ~ this may slow down your internet connection


Tip: you may want to use Custom Policy Mode for better control and security

Note: Your Hardware Firewall may need configuring as well, As they could clog it with packets ;


 Kind Regards :)

Jake

« Last Edit: May 04, 2011, 06:39:11 PM by Jacob »
Thanks....Jake

Please Follow The Forum Rules!


I'm Offline!

Offline shoober420

  • Comodo Family Member
  • ***
  • Posts: 98
Re: Block DDOS Attacks
« Reply #2 on: May 04, 2011, 06:39:41 PM »
I use custom policy and have every single thing checked under behavior settings checked (protect arp cache ect.). I have created rules for all my games and programs (block everything in let everything out) and cant figure out how they can do this still. I do have a firewall on my router. Its set to medium (Inbound: Reject and Outbound: Allow). is there a setting i forgot to change for my router firewall?
« Last Edit: May 04, 2011, 06:49:11 PM by shoober420 »

Offline Jacob

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2808
Re: Block DDOS Attacks
« Reply #3 on: May 04, 2011, 06:43:34 PM »
I use custom policy and have every single thing checked under behavior settings checked (protect arp cache ect.). I have created rules for all my games and programs (block everything in let every out) and cant figure out how they can do this still. I also have no hardware firewall. Could this be why i cant block ddos attacks?

It could be with your hardware firewall/router... Let me let one of the Mr. miyagi's of Networking take a look at this thread, they have more insight and knowledge of such topics;

(May take a day or 2 from them to respond)

Kind Regards :)





Thanks....Jake

Please Follow The Forum Rules!


I'm Offline!

Offline shoober420

  • Comodo Family Member
  • ***
  • Posts: 98
Re: Block DDOS Attacks
« Reply #4 on: May 04, 2011, 06:50:49 PM »
Ok. Just so you know i pass every GRC ShieldsUP test.

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Block DDOS Attacks
« Reply #5 on: May 04, 2011, 07:02:20 PM »
Quite often routers have a setting that allows rate filtering for ICMP and SYN floods. There should be something in the router documentation regarding this. What is the router make and model?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline panic

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11458
  • Linux is free only if your time is worthless.;-)
Re: Block DDOS Attacks
« Reply #6 on: May 05, 2011, 07:00:51 PM »
The DDOS attack is directed against your router, not your PC. A router has two network interfaces, one inward facing (same IP address range as your PC) and outward facing (publicly accessible IP address assigned by your ISP). The only one of these that gets exposed to the internet (and therefore to the attack) is the outward facing address.

You need to look at, and harden (if possible), the routers firewall inbound rules.

HTH
Ewen :-)
As your mums would say, "If you can't play nice with all the other kiddies, go home".
All users are asked to please read and abide by the  Comodo Forum Policy.
If you can't conform, don't use the forum.

Offline shoober420

  • Comodo Family Member
  • ***
  • Posts: 98
Re: Block DDOS Attacks
« Reply #7 on: May 06, 2011, 12:39:22 AM »
I have a ActionTec MI424-WR Rev. F

Ive went to my firewall settings and set it to medium (Inbound: Reject and Outbound: Allow). Its been on this setting since ive had it and i still get hit. How can i harden it any further?
« Last Edit: May 06, 2011, 12:42:56 AM by shoober420 »

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Block DDOS Attacks
« Reply #8 on: May 06, 2011, 03:25:20 AM »
Unfortunately, the manual for your router is pretty vague about the configuration for handling these event types. The only reference I found is with relation to the settings for the security log (see image) This leaves two possibilities that I can see:

1. Protection for these types of attack is already enabled by default
2. You have to create a an advanced filter.

I have no idea which option is correct, maybe you can find some help from the router supplier.

If you are suffering from some kind of attack, make sure you capture the data in the router logs and then contact your ISP with the details. If the problem is severe they may be able to block the traffic.

One final question, what makes you think you're under attack?
 
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline DonZ

  • Comodo's Hero
  • *****
  • Posts: 430
Re: Block DDOS Attacks
« Reply #9 on: May 06, 2011, 08:55:36 AM »
Your router can be and posisibly is hacked. Have a read here: http://blogs.forbes.com/firewall/2010/07/13/millions-of-home-routers-vulnerable-to-web-hack/. Don't panic after reading it but if possible think about upgrading your router.

Make sure NAT and Statefull Inspection on the router are turned on. Statefull Inspection is not turned on by default for many routers; you have to manually set it on. Look in the Security section of your router's GUI. While in the statefull inspection settings, check for a DoS (denial of service) blocking option and ensure it is turned on.

Finally check if the router supports the creation of a "honeypot" default server. At the the router level, all this amounts to is assigning a dummy unused IP address within your routers predefined DHCP range to receive all unsolicited inbound WAN side connections. [Edit] For example, my default router DHCP range is 192.168.1.1 - 192.168.1.253. My router's gateway address is 192.168.1.254 and the router' brroadcast address is 192.168.1.255. In this configuration, I assigned 192.168.1.253 as my default server. [End Ediit]This option worked wonders on my router. Since implementing it, my blocked ICMP count went from over 1000 to less than 100. My blocked TCP connections went from many 1000s to 0. All port scans and ping attacks are immediately shut down. And, my browsing speed has increased dramically.
« Last Edit: May 06, 2011, 05:58:19 PM by DonZ »

Offline DonZ

  • Comodo's Hero
  • *****
  • Posts: 430
Re: Block DDOS Attacks
« Reply #10 on: May 06, 2011, 07:01:03 PM »
I have a ActionTec MI424-WR Rev. F

OK. I just got done reading the manual for your router - all 250+ pages - Jeez!

Denial of service protection is automatic in your router. No special setting needed.

Your router's gateway address is 192.168.1.1. Your assignable DHCP range is 192.168.1.2 - 192.168.1.254. I am assuming you are using DHCP. For this discussion, I assume you have one PC connected to the router and DHCP assigns it the first available address, 192.168.1.2.

If all you do is normal web surfing and e-mail, I would consider bumping up your firewall secuirty level to maximum. Note that if you do any P2P stuff, etc., you will have to write custom rules to allow that at the maximum secuirty level.

Statefull inspection on your router is controled at the firewall rule level - jeez again! When the rule is set to the "accept" option, it sets on statefull inspection for that rule only. Kind of clunky in my opinion.

The only way I see of setting up a "default honeypot server" for your router would be to use the DMZ option. The way your manual reads is unclear on if the DMZ has to be an actual physical device. Then you would have to add a rule to your firewall rules to direct all unmatching traffic to 192.168.1.254 assuming that is the address you use for the DMZ server. Best to get some help here from an expert on your router.

Offline shoober420

  • Comodo Family Member
  • ***
  • Posts: 98
Re: Block DDOS Attacks
« Reply #11 on: May 07, 2011, 08:46:17 AM »
Thanks for all the replys guys. When i set my firewall to maximum, it blocks everything. i cant get on google or anything. I dont see stateful inspection anywhere under firewall settings. and under the DMZ Host it says "allow your computer to be fully exposed to the internet" and i dont think i want that. Where can i find stateful inspection and how can i let let traffic out when im under maximum security?

Oh, and how i no im getting attacked is i'll be threatened while playing online games and loose connection for about 5 minutes.

Offline DonZ

  • Comodo's Hero
  • *****
  • Posts: 430
Re: Block DDOS Attacks
« Reply #12 on: May 07, 2011, 09:59:26 AM »
Statefull inspection on your router is controled at the firewall rule level. ! When the rule is set to the "accept" option, it sets on statefull inspection for that rule only. Kind of clunky in my opinion

Again, your firewall sets Statefull Insoection options only at the firewall rule. If I recollect from reading your manual, you cannot see the rules your router firewall generated unless it's set to maximum level?

Bottom line - your router is not what I would call a "user friendly" one.

On my old Netopia 3347 router, the firewall is always set to "max" when I select it to run in full stealth mode. I then will have to create pinhoels or exception rules to allow inbound P2P activity like games. It does assist in that by having a number of preset game settings already set up. Unfortunately, the router is so old most of the games it has predefined are obsolete.

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Block DDOS Attacks
« Reply #13 on: May 07, 2011, 11:25:25 AM »
Actually, all the rules are changeable but the defaults have been set by Verizon. You also, as I mentioned in my earlier post, have the ability to set advanced filters for the firewall.

With regard to stateful inspection, this is the province of the firewall. Essentially, SPI means that when a packet is received, the firewall will compare it with requests made by applications/processes. If a match is not found the packet is dropped.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline DonZ

  • Comodo's Hero
  • *****
  • Posts: 430
Re: Block DDOS Attacks
« Reply #14 on: May 07, 2011, 07:23:39 PM »
From my experience when my router got hacked, the prognosis is not good. I would do a hard reset on the router, then reset my admin password with a strong one, and the problem would disappear for a couple of days. Then the hackers, usually out of Bejiing would reappear. Once you are pegged as a bot site, they will never leave you alone. Only thing that worked for me was to create the "honeypot" default server I described previously. Now when those turkeys land on my router, they are redirected to a non-existant device and time out and die.

You might consider adding a good router, not one on the Heffer's list that are vunerable to DNS rebind attacks, behind your existing router. Make sure the the new router supports the creation of a non-existant default server. Your can then configure your existing router to pass through. There are post on the Verison forum on how people did this when then got fed up with the problems your particular router model was causing them.

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek