Block DDOS Attacks

Hello,
I am wondering how i can block DDOS attacks with comodo firewall. I have been threatened before (while playing online games) and lost my internet only for 5 minutes then it came back on. I know theres different types of DDOS attacks and am curious if comodo can stop some of them so i can be protected.

By Default this is enabled in CIS/CFW
It was an option in 3.x and i believe that it was decided to be default in 4.x/5.x

Enable "Do Protocol Analysis " For Extra Protection against DDOS Attacks;
(CIS > Firewall > Firewall Setitngs > Advanced) ~ this may slow down your internet connection

Tip: you may want to use Custom Policy Mode for better control and security

Note: Your Hardware Firewall may need configuring as well, As they could clog it with packets ;

Kind Regards :slight_smile:

Jake

I use custom policy and have every single thing checked under behavior settings checked (protect arp cache ect.). I have created rules for all my games and programs (block everything in let everything out) and cant figure out how they can do this still. I do have a firewall on my router. Its set to medium (Inbound: Reject and Outbound: Allow). is there a setting i forgot to change for my router firewall?

It could be with your hardware firewall/router… Let me let one of the Mr. miyagi’s of Networking take a look at this thread, they have more insight and knowledge of such topics;

(May take a day or 2 from them to respond)

Kind Regards :slight_smile:

Ok. Just so you know i pass every GRC ShieldsUP test.

Quite often routers have a setting that allows rate filtering for ICMP and SYN floods. There should be something in the router documentation regarding this. What is the router make and model?

The DDOS attack is directed against your router, not your PC. A router has two network interfaces, one inward facing (same IP address range as your PC) and outward facing (publicly accessible IP address assigned by your ISP). The only one of these that gets exposed to the internet (and therefore to the attack) is the outward facing address.

You need to look at, and harden (if possible), the routers firewall inbound rules.

HTH
Ewen :slight_smile:

I have a ActionTec MI424-WR Rev. F

Ive went to my firewall settings and set it to medium (Inbound: Reject and Outbound: Allow). Its been on this setting since ive had it and i still get hit. How can i harden it any further?

Unfortunately, the manual for your router is pretty vague about the configuration for handling these event types. The only reference I found is with relation to the settings for the security log (see image) This leaves two possibilities that I can see:

  1. Protection for these types of attack is already enabled by default
  2. You have to create a an advanced filter.

I have no idea which option is correct, maybe you can find some help from the router supplier.

If you are suffering from some kind of attack, make sure you capture the data in the router logs and then contact your ISP with the details. If the problem is severe they may be able to block the traffic.

One final question, what makes you think you’re under attack?

[attachment deleted by admin]

Your router can be and posisibly is hacked. Have a read here: "Millions" Of Home Routers Vulnerable To Web Hack. Don’t panic after reading it but if possible think about upgrading your router.

Make sure NAT and Statefull Inspection on the router are turned on. Statefull Inspection is not turned on by default for many routers; you have to manually set it on. Look in the Security section of your router’s GUI. While in the statefull inspection settings, check for a DoS (denial of service) blocking option and ensure it is turned on.

Finally check if the router supports the creation of a “honeypot” default server. At the the router level, all this amounts to is assigning a dummy unused IP address within your routers predefined DHCP range to receive all unsolicited inbound WAN side connections. [Edit] For example, my default router DHCP range is 192.168.1.1 - 192.168.1.253. My router’s gateway address is 192.168.1.254 and the router’ brroadcast address is 192.168.1.255. In this configuration, I assigned 192.168.1.253 as my default server. [End Ediit]This option worked wonders on my router. Since implementing it, my blocked ICMP count went from over 1000 to less than 100. My blocked TCP connections went from many 1000s to 0. All port scans and ping attacks are immediately shut down. And, my browsing speed has increased dramically.

I have a ActionTec MI424-WR Rev. F

OK. I just got done reading the manual for your router - all 250+ pages - Jeez!

Denial of service protection is automatic in your router. No special setting needed.

Your router’s gateway address is 192.168.1.1. Your assignable DHCP range is 192.168.1.2 - 192.168.1.254. I am assuming you are using DHCP. For this discussion, I assume you have one PC connected to the router and DHCP assigns it the first available address, 192.168.1.2.

If all you do is normal web surfing and e-mail, I would consider bumping up your firewall secuirty level to maximum. Note that if you do any P2P stuff, etc., you will have to write custom rules to allow that at the maximum secuirty level.

Statefull inspection on your router is controled at the firewall rule level - jeez again! When the rule is set to the “accept” option, it sets on statefull inspection for that rule only. Kind of clunky in my opinion.

The only way I see of setting up a “default honeypot server” for your router would be to use the DMZ option. The way your manual reads is unclear on if the DMZ has to be an actual physical device. Then you would have to add a rule to your firewall rules to direct all unmatching traffic to 192.168.1.254 assuming that is the address you use for the DMZ server. Best to get some help here from an expert on your router.

Thanks for all the replys guys. When i set my firewall to maximum, it blocks everything. i cant get on google or anything. I dont see stateful inspection anywhere under firewall settings. and under the DMZ Host it says “allow your computer to be fully exposed to the internet” and i dont think i want that. Where can i find stateful inspection and how can i let let traffic out when im under maximum security?

Oh, and how i no im getting attacked is i’ll be threatened while playing online games and loose connection for about 5 minutes.

Statefull inspection on your router is controled at the firewall rule level. ! When the rule is set to the “accept” option, it sets on statefull inspection for that rule only. Kind of clunky in my opinion

Again, your firewall sets Statefull Insoection options only at the firewall rule. If I recollect from reading your manual, you cannot see the rules your router firewall generated unless it’s set to maximum level?

Bottom line - your router is not what I would call a “user friendly” one.

On my old Netopia 3347 router, the firewall is always set to “max” when I select it to run in full stealth mode. I then will have to create pinhoels or exception rules to allow inbound P2P activity like games. It does assist in that by having a number of preset game settings already set up. Unfortunately, the router is so old most of the games it has predefined are obsolete.

Actually, all the rules are changeable but the defaults have been set by Verizon. You also, as I mentioned in my earlier post, have the ability to set advanced filters for the firewall.

With regard to stateful inspection, this is the province of the firewall. Essentially, SPI means that when a packet is received, the firewall will compare it with requests made by applications/processes. If a match is not found the packet is dropped.

From my experience when my router got hacked, the prognosis is not good. I would do a hard reset on the router, then reset my admin password with a strong one, and the problem would disappear for a couple of days. Then the hackers, usually out of Bejiing would reappear. Once you are pegged as a bot site, they will never leave you alone. Only thing that worked for me was to create the “honeypot” default server I described previously. Now when those turkeys land on my router, they are redirected to a non-existant device and time out and die.

You might consider adding a good router, not one on the Heffer’s list that are vunerable to DNS rebind attacks, behind your existing router. Make sure the the new router supports the creation of a non-existant default server. Your can then configure your existing router to pass through. There are post on the Verison forum on how people did this when then got fed up with the problems your particular router model was causing them.

Ok, when i enable maximum security on my firewall, no traffic gets through. i cant even get on the internet. i also see no other options reappear when i set maximum security.Unless im not looking in the right spots. Where is Stateful inspection after i enable maximum security? and how can i access the internet after i enable maximum security? do i have to make rules under advanced filtering when i enable maximum security? and should i even bother? should i just get a different modem/router? is there just a simple fios modem i can buy that isnt a router and split it with a hub?

The attack protection mechanisms are enabled by default and SPI can be controlled through the use of Advanced filters, but appears to be enabled by default.

I’d suggest you take a look at my earlier post Re: Block DDOS Attacks and enable the logging of the flood items, at the least. This will allow you to capture any potential useful information, which may be useful for further investigation.

With regard to the Advanced filters, personally, I’m not sure you’re going to gain a great deal in this area. However, if you can capture the ip addresses of the attacker, you could create filter that would drop the packets from this address.

Changing your router is an option. but hardly necessary and removing a router altogether is not a good move in terms of security. You could, potentially, change the firmware http://www.dd-wrt.com/wiki/index.php/MI424WR or Actiontec MI424WR [Old OpenWrt Wiki] but your router doesn’t seem very user friendly in this.

Below is what your router manual states about “maximum” firewall settings. The default firewall rules should allow for basic surfing; i.e. TCP ports 80 and 443. Note that you must select Access Control option.

Now if you recieved your router from Verizon, it is possible the ISP has modified the firmware to “cripple” or modify the manufacturers default settings.

FiOS Router User Manual
107
© 2010 Verizon. All Rights Reserved.

6.3a Allow or Restrict Services

To view and allow/restrict these services:

Select 1. Access Control from the left side of any Security screen. The “Access Control” screen appears.
Note: The “Allowed” section is only visible when the firewall is set to “Maximum.”

[attachment deleted by admin]

Thanks, i can now access the internet through maximum security mode. i had to create a rule under access control to let me out. How do i create a honeypot server?

I seem to have the latest firmware (20.10.7.5) but i just checked my security logs and found something very disturbing. it seems that someone by “WBM user unknown (0.0.0.0)” has changed my router settings 54 times on may 8th and 142 times on may 9th. what should i do? does someone have access to my router? and why cant ic there ip are they under a proxy?

Check out this posting: Actiontec Security considerations Verizon FiOS FAQ | DSLReports, ISP Information. It further elaborates on Heffer’s router vulerability research. Your router series has at least 10 known vulnerabilities.

There is a separate forum section at DSL Reports for Verizon FIOS: Verizon FiOS forum | DSLReports, ISP Information. I am sure someone there can answer your ActionTec router speciifics.