Author Topic: Block DDOS Attacks  (Read 26751 times)

Offline shoober420

  • Comodo Family Member
  • ***
  • Posts: 98
Re: Block DDOS Attacks
« Reply #15 on: May 08, 2011, 01:27:20 AM »
Ok, when i enable maximum security on my firewall, no traffic gets through. i cant even get on the internet. i also see no other options reappear when i set maximum security.Unless im not looking in the right spots. Where is Stateful inspection after i enable  maximum security? and how can i access the internet after i enable maximum security? do i have to make rules under advanced filtering when i enable maximum security? and should i even bother? should i just get a different modem/router? is there just a simple fios modem i can buy that isnt a router and split it with a hub?

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Block DDOS Attacks
« Reply #16 on: May 08, 2011, 02:41:46 AM »
The attack protection mechanisms are enabled by default and SPI can be controlled through the use of Advanced filters, but appears to be enabled by default.

I'd suggest you take a look at my earlier post Re: Block DDOS Attacks and enable the logging of the flood items, at the least. This will allow you to capture any potential useful information, which may be useful for further investigation.

With regard to the Advanced filters, personally, I'm not sure you're going to gain a great deal in this area. However, if you can capture the ip addresses of the attacker, you could create filter that would drop the packets from this address.

Changing your router is an option. but hardly necessary and removing a router altogether is not a good move in terms of security. You could, potentially, change the firmware http://www.dd-wrt.com/wiki/index.php/MI424WR or http://wiki.openwrt.org/toh/actiontec/mi424wr but your router doesn't seem very user friendly in this.

« Last Edit: May 08, 2011, 03:24:38 AM by Radaghast »
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline DonZ

  • Comodo's Hero
  • *****
  • Posts: 430
Re: Block DDOS Attacks
« Reply #17 on: May 08, 2011, 10:36:26 AM »

Below is what your router manual states about "maximum" firewall settings. The default firewall rules should allow for basic surfing; i.e. TCP ports 80 and 443. Note that you must select Access Control option.

Now if you recieved your router from Verizon, it is possible the ISP has modified the firmware to "cripple" or modify the manufacturers default settings.

FiOS Router User Manual
107
© 2010 Verizon. All Rights Reserved.

6.3a Allow or Restrict Services

To view and allow/restrict these services:

Select 1. Access Control from the left side of any Security screen. The “Access Control” screen appears.
Note: The “Allowed” section is only visible when the firewall is set to “Maximum.”





[attachment deleted by admin]

Offline shoober420

  • Comodo Family Member
  • ***
  • Posts: 98
Re: Block DDOS Attacks
« Reply #18 on: May 10, 2011, 06:32:26 AM »
Thanks, i can now access the internet through maximum security mode. i had to create a rule under access control to let me out. How do i create a honeypot server?

I seem to have the latest firmware (20.10.7.5) but i just checked my security logs and found something very disturbing. it seems that someone by "WBM user unknown (0.0.0.0)" has changed my router settings 54 times on may 8th and 142 times on may 9th. what should i do? does someone have access to my router? and why cant ic there ip are they under a proxy?
« Last Edit: May 10, 2011, 06:47:45 AM by shoober420 »

Offline DonZ

  • Comodo's Hero
  • *****
  • Posts: 430
Re: Block DDOS Attacks
« Reply #19 on: May 10, 2011, 10:07:21 AM »
Check out this posting: http://www.dslreports.com/faq/16142. It further elaborates on Heffer's router vulerability research. Your router series has at least 10 known vulnerabilities.

There is a separate forum section at DSL Reports for Verizon FIOS: http://www.dslreports.com/forum/vzfiber. I am sure someone there can answer your ActionTec router speciifics.
« Last Edit: May 10, 2011, 10:08:56 AM by DonZ »

Offline shoober420

  • Comodo Family Member
  • ***
  • Posts: 98
Re: Block DDOS Attacks
« Reply #20 on: May 10, 2011, 11:21:30 AM »
ok i'll check out those sites. but do u think someone is hacking my router? it says that a unknown user has changed my settings many times but my settings seem the same. what is going on?

and can one of u show me how to set up an advanced filter?
« Last Edit: May 10, 2011, 11:32:20 AM by shoober420 »

Offline DonZ

  • Comodo's Hero
  • *****
  • Posts: 430
Re: Block DDOS Attacks
« Reply #21 on: May 10, 2011, 02:18:31 PM »
I only saw direct evidence once of my router being hacked. In that instance, the hacker turned off the router firewall. I wasn't using an admin password for the router then. That episode made me a firm believe of assigning strong admin passwords to routers.

The subsequent attemps were more subtle and are what I described previously; attempts to use my router's bandwidth by hacking the WAN side of the router with IP addresses similiar to my ISP assigned address. Almost always these were connects to non-US IP addresses in Europe or SE Asia. There were also attemps to work through my localhost: 127.0.0.0/255.0.0.0 address range. Of course the port of choice was 445.

Before you reach rabid paranoid stage, ensure that the id you are seeing in your log is not your ISP connecting to your router. ISPs do things like that multiple times a day. Your router firmware will also periodically dial out to a preset server to sync it's internat clock, etc.

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Block DDOS Attacks
« Reply #22 on: May 10, 2011, 09:39:08 PM »
Thanks, i can now access the internet through maximum security mode. i had to create a rule under access control to let me out. How do i create a honeypot server?

I seem to have the latest firmware (20.10.7.5) but i just checked my security logs and found something very disturbing. it seems that someone by "WBM user unknown (0.0.0.0)" has changed my router settings 54 times on may 8th and 142 times on may 9th. what should i do? does someone have access to my router? and why cant ic there ip are they under a proxy?

As far as I know, "WBM" is Web Based Management and the ip address 0.0.0.0 is known as the default route, so it's unlikely these are external events. More likely they are something to do with the configuration of the router, possibly something to do with firmware update checking.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline shoober420

  • Comodo Family Member
  • ***
  • Posts: 98
Re: Block DDOS Attacks
« Reply #23 on: May 12, 2011, 04:16:16 PM »
ok that makes me feel alot better. im already planning on asking verizon for a regular modem instead of a router, and jus use a hub. that would be the safest route. but in the meantime, can one of u show me how to do a honeypot server and set up my advanced filter?

also how can i tighten my WAN just incase someone is stealing my bandwidth?
« Last Edit: May 12, 2011, 04:18:10 PM by shoober420 »

Offline DonZ

  • Comodo's Hero
  • *****
  • Posts: 430
Re: Block DDOS Attacks
« Reply #24 on: May 13, 2011, 08:00:06 PM »
Below are the advanced security recommendations for my router. Perhaps you can extrapolate to your router. I do suggest you search forums that support your particular router. I do not recommend doing No. 1 below if you plan on viewing your router settings through your browser. You won't be able to if you do No. 1. 

No. 3 details how to create a default server on my router to trap all non-solicited connections.

How do I configure advanced security settings?

These instructions are written for Cayman software version 6.3. The same functions can be accomplished in older releases, as well, but the step-by-step instructions would differ.

1) Disable WAN administration to prevent outsiders from gaining control of your LAN:
Connect to the Cayman as 'admin'. Select Configure, then WAN, then "your connection type" (in the "WAN IP Interfaces" box). Then, in the Restrictions control, select "Admin Disabled". Then, you should get a yellow warning icon in the top right of your browser window. Click it, then click the thing that comes up to save your changed settings and restart the Cayman.

2) If WAN administration is not to be disabled, change the name of the SNMP community from the default of 'Public', again to prevent outsiders from gaining control of your LAN:

Connect as 'admin', select Configure, then Advanced, then SNMP (in the Services box). In 'Communities', type a name that only you will know. Just about anything, e.g., 'housebat' or some such nonsense. Click the Add button. Then, select the 'Public' entry and click the Delete button. Save the settings and restart the Cayman.

3) Enable a non-existent default server to trap any unwanted outside server requests:
Connect as 'admin', select Configure, then Advanced, then Default Server (in the NAT box). Check the 'Enable Default Server' box and enter an IP address in the 'NAT Server IP Address' box. The IP should be within your DHCP range, but one that would never be assigned to an actual computer, e.g., 192.168.1.253. Click the Submit button. Save the settings and restart the Cayman.

Offline shoober420

  • Comodo Family Member
  • ***
  • Posts: 98
Re: Block DDOS Attacks
« Reply #25 on: May 14, 2011, 03:33:52 PM »
ok thanks donz and radaghast for all ur help. i feel way more secure now.

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek