Comodo failing spoofing attacks?...Comodo has poor packet filtering?

The post: Outpost Firewall Free 2009 v6.5 Released | Page 7 | Wilders Security Forums
The original thread: Outpost Firewall Free 2009 v6.5 Released | Page 8 | Wilders Security Forums

What is this guy (pandlouk) on about? He doesn’t provide any evidence to his claims. I’d like to know where these “holes” are in Comodo Firewall that have not been addressed since version 2.4.

Thanks for any replies.

I know that pandlouk was a moderator here and that he left (for a reason i don’t know about)
I’m not sure if there are any holes into CIS, and you can configure the packet filter so you should be fine ?


It’s okay mate. I’ve worked it out mostly now. I suspect he was just making claims for the sake of bashing Comodo. He must have had a bad experience here or something.

I would like to know how Comodo Firewall can be configured to protect against ARP attacks though. Apparently enabling “Protect the ARP cache” does nothing!

Thanks for any help on this.

Hi ssj100, I personally know zip about this stuff. But, if CIS doesn’t do something with regards to ARPs, then something must be wrong. Because looking at CIS’s help, there’s an awful lot of nothing there.

[b]Protect the ARP Cache[/b] Checking this option makes Comodo Firewall to start performing stateful inspection of ARP (Address Resolution Protocol) connections. This will block spoof ARP requests and protect your computer from ARP cache poisoning attacks.

The ARP Cache (or ARP Table) is a record of IP addresses stored on your computer that is used to map IP addresses to MAC addresses. Stateful inspection involves the analysis of data within the lowest levels of the protocol stack and comparing the current session to previous ones in order to detect suspicious activity.

Background - Every device on a network has two addresses: a MAC (Media Access Control) address and an IP (Internet Protocol) address. The MAC address is the address of the physical network interface card inside the device, and never changes for the life of the device (in other words, the network card inside your PC has a hard coded MAC address that it will keep even if you install it in a different machine.) On the other hand, the IP address can change if the machine moves to another part of the network or the network uses DHCP to assign dynamic IP addresses. In order to correctly route a packet of data from a host to the destination network card it is essential to maintain a record of the correlation between a device’s IP address and it’s MAC address. The Address Resolution Protocol performs this function by matching an IP address to its appropriate MAC address (and vice versa). The ARP cache is a record of all the IP and MAC addresses that your computer has matched together.

Hackers can potentially alter a computer’s ARP cache of matching IP/MAC address pairs to launch a variety of attacks including, Denial of Service attacks, Man in the Middle attacks and MAC address flooding and ARP request spoofing. It should be noted, that a successful ARP attack is almost always dependent on the hacker having physical access to your network or direct control of a machine on your network - therefore this setting is of more relevance to network administrators than home users.

Block gratuitous ARP frames
A gratuitous ARP frame is an ARP Reply that is broadcast to all machines in a network and is not in response to any ARP Request. When an ARP Reply is broadcast, all hosts are required to update their local ARP caches, whether or not the ARP Reply was in response to an ARP Request they had issued. Gratuitous ARP frames are important as they update your machine’s ARP cache whenever there is a change to another machine on the network (for example, if a network card is replaced in a machine on the network, then a gratuitous ARP frame will inform your machine of this change and request to update your ARP cache so that data can be correctly routed). Enabling this setting you will block such requests - protecting the ARP cache from potentially malicious updates.

PS I formatted it like the Help had it.

I just reviewed the Wilders link you posted. Wow, pand does seem miffed. I also reviewed some of pand’s later posts, because I cannot remember him reporting anything like this (unless he only told Melih & Egemen). I couldn’t find any he posted about ARP’s. In fact, forum wide (all posts) there doesn’t seem to be much on ARP poisoning at all. So, I dunno where this is coming from. But, I’m sure we’ll find out in due course. :slight_smile:

I’m not sure why he seems so ‘anti’ CIS these days, he was once very active here. Obviously he now feels he has some axe to grind…

Here’s an interesting read on the subject:

[attachment deleted by admin]