Help me stop Winnukes, SYN Flooding and IP Spoofing

Hi all.

I am having an unending series of attacks of the above-mentioned kinds. The problem is, I am not sure what is causing these attacks as I have done everything possible to rid my PC of any pestkies. I have reformatted my HD 16X already but to no effect. Right now, I only have Windows XP-SP2, with AntiVir and Comodo installed. I have no additional programs installed.

Comodo Fwll does not report of any these attacks at all during or after these attacks. I got the reports from my Broadband 4-port Router. The logs states these attacks did take place. I have tried disabling my Modem’s firewall to enable these attacks to reach my PC, to get Comodo to log them, but Comodo doesn’t!

I am attaching the logs in txt.

Please guys, help me to deal with them as I am getting no help from my ISP. They are even listed on Wiki, as the ISP with the most complaints by it’s customers! ISP name Streamyx. (S)


[attachment deleted by admin]

Welcome to the forums, Dailyfree ~

Will you open CFP’s Network Monitor to full-screen size, capture and save that screenshot as an image file (jpg, gif, or png). Then attach it to your post here using the bold red “Additional Options” just below your textbox. That should let us know why CFP isn’t logging these events.


To clarify why I need this help is very embarrassing indeed.

My ISP Streamyx have the monopoly in the Malaysian Broadband market, whereby it’s parent company Telekom Malaysia owns all the land lines. They have refused to share the rights. The EU laws on monopoly doesn’t apply here! Mostly, we have 75% old copper lines throughout the country. The Government have stressed that it wants Broadband penetration to reach 70% nationwide by 2008. Thus, Streamyx embarked on a ridiculous marketing campaign, offering Broadband packages of various kinds, all stating unlimited usage. I guess they oversold their bandwidth. To overcome this problem, they probably resorted to nuking their own customers to prevent traffic congestion.

If you look at my Sys logs, you will notice that my Modem have logged on to Streamyx before I entered my log-in ID and password. That indicates that they have advance notice that an IP has been assigned to my modem first, not my machine. I can verify this as even if I just turn on my Modem alone, without turning on my machine, the DSL LED and the PPP LED will light up. The PPP LED will go off after about 3 minutes if I dont turn on my machine. Everytime I turn on my machine, CPF will indicate that SYSTEM sends UDP address to Then my Modem will send UDP to That IP belongs to Level 3. I dont know why. I have complained to ISP Streamyx at least 100 times but they said that Dynamic IP’s cant be traced! Can u imagine that?

What I need is to understand how to counter this problem? Seems to be associated with ARP caches as I read somewhere. Anyhow, for anyone who is interested to do some some hacking to our local banks, I would think that you will get away scott-free as my ISP Streamyx cannot trace you! At least that is their answer to my enquiries to track the offending IP’s!!!

The interesting thing (I think) about the attempted Outbound connection to Level 3 (in Colorado) is the port 123 reference, as if it’s your time-server. The time-server (also in Colorado) is the University thereof.

The rest of them seem to be related to your ISP. Is this a cable connect, rather than DSL?

If so, I would see this as quite common. Cable connections actually create “networks” of their users, route & re-route, and create all sorts of confusing traffic that just should not exist. Very rarely will someone get their Support to admit/confirm the behavior. I have only found out thru these limited confirmations, combined with a lot of research on my own into how these things work.

I do see a few issues with your NetMon rules (tnx for posting those)…
Rules ID 6, 7, & 8 will never be activated, as the traffic is/will be stopped by Rule ID 5.

Rule ID 5 should always be the very last one - it’s your safety net. Move the other three above it.

The current Rule ID 8 (blocking GRE) will need to come before the current rule ID 4 (allowing GRE) in order for it to function properly to block those IP addies.

There isn’t anything in those rules that would stop CFP from blocking the inbound traffic, if it were reaching it. I’m thinking that in order to test CFP, you will to use your router to Forward all ports; either that or physically connect directly from computer to modem.


PS: Given that your ISP doesn’t seem to want to acknowledge the apparent DOS attempt, and that your router’s FW is blocking it, I wouldn’t worry too much about it. In other words, if you can’t change it, and you know it’s not doing damage, it may be easier just to ignore it.

Thank you for your advise.

Have totally understood your instructions and have relocated the Rules ID as advised.

Have also totally uninstalled the ZA from my other 3 networked home to PCs to be honorably protected by Comodo. The support here outclasses paid support. Anytime and every time. Though my other 3 Comodo protestors disagree…whole-heartedly! Well, I guess they better get out of their comfort zones, quickly, because ZA is no longer on the safe vendor or product list…Pity.

Yes, you are right about the route and re-route issue. Yes, you are right again about them not owning up to it! I am supposed to be paying for a 2Mb DSL connection.

Am trying to forward all ports direct to PC and hopefully will bypass my router. It’s a good router but then again, it’s entry level type of firewall does have it’s limitations.

Thanks and Regards,

I wouldn’t advise keeping the router port-forwarded for anything other than testing purposes over a limited time. Simply because a hardware firewall is a better first-line defense against incoming attacks than a software one. It has one job and one job only, and that’s to keep known bad stuff out.

The software firewall is really more to keep bad stuff IN (such as if you’ve gotten malware on your computer). It’s secondary task is to keep bad stuff out, control traffic (such as through ICS, etc).

Using a hardware FW along with a software FW is just another example of layered security. Nothing is 100%, so you’re stacking the odds a little more in your favor that way.


Thanks again for your reply.

Tried the forwarding port procedure for awhile yesterday and it didn’t seem to work! The attacks kept on coming. It is not due to any dDos worm that I know of. Comodo did not log any attacks!

Uninstalled AntiVir. Tried scannning with KAV…nothing. Tried AVG…AS USUAL NOTHING!..Tried AntiVir again…nothing!

Enabled HW firewall again. Did manage to get back my subscribed bandwidth, coz without the HW firewall, the bandw did get tiny!

What else can I do to stop these criminals?

Suggestions anyone?

winnuke’s an external-based DOS attack on port 139 (as I recall); it was “developed” against NT servers, and primarily used against those that keep the port open for network activities. It’s not (afaik) from an internal malware; just an external attack against a known Windows vulnerability. Historically a winnuke did nothing but cause a system BSOD if successful. I don’t know if a “current” version carries any other payload.

For more protection, you may try disabling the NetBIOS service (which is what uses 139, for file & printer sharing). To do so, go to start/run and type “services.msc” (no quotes). Find the entry for TCP/IP NetBIOS Helper; double-click and set to Disabled. Apply, OK, and reboot.

Next open your Internet Connections folder in Windows. Find your adapter/connection icon, right-click and select Properties. Find the entry for Internet Protocol TCP/IP, highlight and click Properties button. On General Tab, go to Advanced settings, then WINS tab.

Uncheck the box for Enable LMHosts Lookup. Under NetBIOS Settings, click the last box, to Disable NetBIOS over TCP/IP.

That should help you out; it will at least provide you some more security.

Not sure what else to tell you. If you properly forwarded all ports from your router to your computer, they would hit the firewall and CFP would stop them, and log them. Just to ask (no insult intended) but in CFP you are checking Activity/Logs to see this, right?


Ok, I did check the logs…nothing.

Will uninstall Comodo and disable all start-up programs. Just to make sure there is no inteference.

Be back in a jiffy…if you’re still here!


Hey if you do that, do so in SafeMode - both uninstall and reinstall…


Rule ID 5 should always be the very last one - it's your safety net.
No no no, as long as you understand that all rules beneath the "Block all"-rule are "ignored" this is in fact a quite efficient way to have "temporary" rules . Just as an example I move my "bit-torrent" rule beneath the "block all"-rule when the client isn't running .. that way I'm 120% certain that nothing can exploit the port. (not that I worry much about it, Comodo has a 99.9% trust-rating in my book)

Good point, gordon. Nice pro-active thinking there… :wink:


Thanks for the replies.

OK, I have diasbled DMZ…Whewwww CPU usage went up like a rocket!

Little Mac and Gordon, I connect to to web like this:

I need to access my router using my browser, then it will connect me to my ISP. Will this disabling my NetBIOS permit to access the web?

Ahh, okay. In this case, you may need to re-enable the DMZ.

Disabling NetBIOS shouldn’t have an impact, as long as you’re not doing Windows’ File & Printer Sharing (as in, on a local network).


Completely disabled LMHosts lookup and letting my Modem handle the UDP connections while forwarding all TCP connections to Comodo.

Will this work in tracking the Nuker’s IP?

LMHosts Lookup a NetBIOS are really only applicable to LAN-scenarios. Disabling those should have no effect on anything else (other than making your computer more secure).


Appreciate all the advice LM.

The logging are really intense and useful now. I can really see who is trying to connect to mu PC and so far the data is quite useful. Have already discovered few IP’s looking very suspicious trying to hook to my 445 Port. 137 & 139 doesnt seem to exist anymore!

Thanks Little Mac…Dont you like McD’s Big Mac?

Port 445 is another Windows-exploit port; MS used that as the replacement port for the NetBIOS stuff. I think this was the target of the Sasser and Bobax worms (among others).

here’s some info on it:


Generally, these probes are concentrating on ports 135-139and 445. Have completely disabled them and have no problems so far. LMHost was completely disabled and so is the setting on the Modem ports. They are set no to receive or transmit.

Thanks for the help.

I find that blocking port 1900 helps to stop these attacks to a certain extent too. The frequency of attacks dropped quite a bit and after spending countless hours trying to resolve these attacks by trying out different ports and ranges of IP, I have accidentally stumbled on a solution. ;D

Since I know for a fact that my criminally-inclined and immoral ISP has oversold their usable bandwidth, I figured that they must have an army of zombies at their disposal. From my Modem’s Fw logs, usually a minimum of 10 local IP’s will try to connect to ports 135, 137 and 445. To a lesser degree, ports 1433-1455 and 2967-2969 gets unwelcome visitors too. Then a single local IP will launch the attack! :cry:

After getting invaluable advice from Comodo security experts (Little Mac mostly) (:AGL), blocking the netbios ports were the first steps to be taken. Installing IPcop firewall then Smoothwall was the next course of action, though IMHO, it didn’t help my cause much. Blocking all ports would be idiotic as legit communications would get blocked too.

Reading about DDoS, courtesy of Google, I found a lot of useful info. ;D Seems that different types of attacks favours different specific ports. The key to my defense was really trial and error on specific ports blocking. Identifying the actual DDoS method used was important too.

Using these different ports blocking and forwarding some of the ports to Comodo, I now have 95% reduction of attacks! I don’t know any other way of stopping these attacks totally as they are from my ISP. If someone would just give me a DDos counter-attack tool would great! (Really need it)
Something similar to the “Goalkeeper” anti-missile system would be ideal! :■■■■

“Comodo Support - The Envy of others!” (:CLP)

Dailyfree (B)