Attack Detection Settings

[Guest]

[patrice58]

In the A.D.T tab, you see the protect the APR cache setting but there is nothing in the help files telling you want it is, and if you should tick the box or not so my question is what is the APR cache and should I tick the setting or not?
 
In the default settings is the block fragmented ip address ticked or not because it the help files it said was ticked by default but not in mine it was not and it the firewall is said it should be disabled so I am confused to if I should of should not tick it?

[Ron_75]

I second that,

 I would like to know too on what those options really are and what they do especially that APR cache one

[Ron_75]

patrice58

to answer one question you asked, Block fragmented is not ticked by default.
I setted my CFP 3 up using the default options and mine is not ticked along with them other boxes one being APR cache.

but I saw your post and i would like to know too what them options are and what are they good for and what extra secuity benefits they add if ticked and who should tick them.

(my setup is, I have cable broadband am behind a router and have one PC connected to it with wireless disabled)

[Ron_75]

Hi patrice58

I enabled  Block fragmented IP Datagrams and Do Protocol Analysis

after reading what it says about them in the help file and thought it sounded like a useful idea to enable them since it protects one from malicious stuff on the net like fake packets

Block fragmented IP Datagrams
When a connection is opened between two computers, they must agree on a Mass Transmission Unit (MTU). IP Datagram fragmentation occurs when data passes through a router with an MTU less than the MTU you are using i.e when a datagram is larger than the MTU of the network over which it must be sent, it is divided into smaller 'fragments' which are each sent separately. Fragmented IP packets can create threats similar to a DOS attack. Moreover, these fragmentations can double the amount of time it takes to send a single packet and slow down your download time.

Comodo Firewall Pro is set by default to block fragmented IP datagrams i.e the option Block Fragmented IP datagrams is checked by default.

its not enabled by default but i enabled that ^

Do Protocol Analysis
Protocol Analysis is key to the detection of fake packets used in denial of service attacks. Checking this option means Comodo Firewall Pro checks every packet conforms to that protocols standards. If not, then the packets are blocked

the other two, that --> Do Packet Checksum Verification] and --> Monitor other NDIS protocols than TCP/IP ain't worth enabling because it says it will drastically slow your internet connection down and consumes alot of resources and the help guide recommends it best not enabling them for home users.

as for  Protect the ARP i enabled that one too, i did a bit of googling about what it is and here this is what it is although I don't understand it lol http://en.wikipedia.org/wiki/Address_Resolution_Protocol

but i clicked through a couple and I can't say it made much sense or anything to me lmao
anyway once you enable Protect the ARP another option that you can enable will appear beneath it called block gratuitous ARP frames which i googled and came up with his below in the quote

Sometimes network resources including IP address, MAC address, and hostname could be misused for the weakness of TCP/IP protocol suite and the deficiency of network management. Therefore, there is urgent need to solve the problems from the viewpoint of network management and operation. In this paper, we propose a network network blocking algorithm based on ARP spoofing and evaluate the robustness of this algorithm via various experiments. We have performed several experiments on the gratuitous ARP exchange and IP address conflict detection in order to identify the robustness of the network blocking algorithm under both homogeneous and heterogeneous operating system.

link ^ --> http://www.springerlink.com/content/w22cg0d82cnjh3u8/

anyway I enabled block gratuitous ARP frames as well and am typing this so means my connection ain't effected, from what i read that i could amke any sense of if you enable them stuff too then try and see if your still able to download things fine if you have any probs with downloading stuff particualry through FTP download clients then might be cause of enabling them stuff which i have enabled, am gonna try downloading a few things in a while and see if it goes fine if i have trouble downloading things since i've enabled them security options then I'll report back and let you know

[patrice58]

Thanks I have Do Packet Checksum Verification and it has not slowed down my browsing at all so try it and see what happens? (my setup is I am connected via a asdl wireless router with wireless enabled)

[Ron_75]

patrice58 
Insert Quote
Thanks I have Do Packet Checksum Verification and it has not slowed down my browsing at all so try it and see what

Yep, best thing is to try it, Do packet checksum i read what it does is when your being sent a packet it has a signature that confirms the size of the packet and having "Do Packet checksum Verification" enabled means the firwall will check the packet to make sure its not been altered or changed, so for instance if a hacker was to intercept the packet your reseiving and try to send you a fake packet to do you harm, your firewall will not acecpt it. so that one is defintely a good idea having enabled

[patrice58]

Cheek out this link for any questions you might have about APR http://www.geocities.com/SiliconValley/Vista/8672/network/arp.html
tho after reading it I am no nearer to understanding it ah well........................

[Ron_75]

patrice58 

Cheek out this link for any questions you might have about APR http://www.geocities.com/SiliconValley/Vista/8672/network/arp.html
tho after reading it I am no nearer to understanding it ah well........................

Thanks that was one of the sites i found and i read what is a ARP umm i didn't understand a word though hehe. i've bookmarked the site though so thanks for the link
I will read through it and I hope I can understand it especially what is a ARP which it says is

What is ARP?
Address Resolution Protocol (ARP) is a network protocol, which maps a network layer protocol address to a data link layer hardware address. For example, ARP is used to resolve IP address to the corresponding Ethernet address.

<--that  but I'm like    huh? lol

btw I am downloading a 900MB divx movie using Free download manager a FTP client donwloader and its downloading it, so no probs so far i've noticed one difference the movie is downloading at 650KB/s usually it downloads at 450KB/s tops, maybe something i enabled or all of them is having a tremendous benefit or maybe Stage6 servers has hardly anyone watching or downloading any movies off them at the moment lol.

so far all good though any probs i suddnely encounter I'll be sure to update and let you know

P.S the PC is consuming a fair bit of cpu% now and is a bit laggy, but nothing I'm bothered by, everything else seems to be running perfectly. browsing seems a bit faster and the download and i selected a big file to download lmao. seems pretty faster than usual  and i was watching a divx movie a bit via Windows media player. the response and performance of my computer didn't seem effected, just them things does seem a bit system resources intensive. but not much where it has a great effect and should bother one

[patrice58]

Nice one bro and likewise if I have any problems ill let you know

[Ron_75]

oops sorry my bad 

Do Protocol Analysis
Protocol Analysis is key to the detection of fake packets used in denial of service attacks. Checking this option means Comodo Firewall Pro checks every packet conforms to that protocols standards. If not, then the packets are blocked

^ that checks to make sure the packet is not fake and i think not corrupt too, which is good and is not resource intensive.

Do Packet Checksum Verification
Every packet of data sent to your machine has a signature attached. With this option enabled, Comodo Firewall Pro will recalculate the checksum of the incoming packet and compare this against the checksum stated in the signature. If the two do not match then the packet has been altered since transmission and Comodo Firewall Pro will block it. Although this feature has security benefits it is also very resource intensive and your internet connection speed may take a large hit if checksum verfication is performed on each packet. This feature is intended for use by advanced users and Comodo advise most home users not to enable this feature.

^ and that one well it says what it is. but every download contains a signature so when your recieving the file if suddenly the firewall detects the signature number no longer matches then it will despence with the file and stop downloading it.  something similar to DC++ or direct connect peer 2 peer apps, they had that feature which was useful it saved the hassle of downloading something only for it to turn out to be a fake or corrupt file or some hacked file. or worse a file that contains a trojan.  that is useful to enable I haven't cause I think it will slow my connection down quite a fair bit and prolong any downloads since it will be checking the file at intermittent intervals while its downloading plus will be a bit too much intensive for my PC system resources, but if you've enabled it and your connection and PC can handle it well then thats good

I might enable it later and see if its worth it for me 

[patrice58]

That's ok and thanks the only thing on that tab I don't have ticked is the monitor other NDIS protocols then TCP\IP. Version 2 of the firewall had block all outgoing connections untill the firewall was enabled which was great, but with this version it's erm slightly different lets say as there is no menu for that in V.3 nor does it do that which is a crying shame but hay two steps forward one step back and all that

[Ron_75]

Same here only that last option NDIS protocols then TCP\IP, I haven't ticked. I ticked the Do Packet Checksum Verification as well, it seems that one is useful too since it will check ingoing and outgoing packets to make sure they are safe.

i must say after ticking all these options, I've suddnely noticed this increase of quickness and smoothness and everything snaps up real quick when i click it from a webpage to just how the everything on winxp is performing that much quicker and smoother  including the firewall when i open it and click through the tabs, before it was kinda sluggish and would refresh like a jagged puzzle and take a sec. now it still refreshes like a jagged puzzle hehe but only takes half a sec to refresh now. So I'm pleased them options seems cool.

btw ARP i read a bit on that site you pasted, it says ARP is to do with obtaining and renewing an IP over a network. so incase you have any probs with your adsl renewing its IP at anytime, you may want to untick ARP just to see if thats what is preventing it  renewing and obtaining a new IP over your ISP local network. something to keep in mind just incase 

[Ron_75]

Version 2 of the firewall had block all outgoing connections untill the firewall was enabled which was great, but with this version it's erm slightly different lets say as there is no menu for that in V.3

Your right  i didn't notice that, i noticed V2 had that setting in its menu, i thought this one had it too. So I just clicked through each settings in each tabs of the firewall and didn't see any of that in there

[Toggie]

Just so as you know. You don't need NDIS (Network Driver Interface Specification) unless you need support for protocols other than TCP/IP, such as IPX/SPX or NetBEUI. If you only use the Internet, leave it unchecked.

ARP (Address Resolution Protocol) is a protocol used to map IP Addresses to MAC addresses. For example, you enter a URL:

www.xyz.com

This needs to be mapped to an IP Address (DNS):

123.123.123.123

This then needs to be mapped to a MAC Address (the physical address of a network adapter) This is what ARP Does. The reason for this is simply that communication between two devices on a network uses the unique MAC address for identification.

00-0C-76-1E-4E-70

Toggie

[Ron_75]

Thanks Toggie 

[Tags:]