Hello, I currently have a windows XP sp2 machine (amdxp 2.3ghz (3.2+ rating)) 1gig of memory.
I have very little installed on the machine because of a previous breach. I did a complete wipe (and scanned for rootkits), also re-installation.
I just wanted to inform you that the current beta survived for almost 1.2 hours while being DDOS’d and code injection attacked in a myspace chatroom. They appeared to be using a SYN_EVENT acknowledgment type of attack which was being tunneled over an HTTPS link. I recored the IP’s and proceeded to make global rules inside Comodo firewall blocking those particular IP addresses. Despite this action, SYN events still kept coming through the firewall from the associated IP’s. I think, they were spoofing the IP addresses on the incoming packets, I am not sure, as the logging system in Comodo firewall is currently dis-functional and is not usable for tracking such events. I did, however, use a utility from sys-internals, that allowed me to watch the connections occurring in real time, which helped (but not much).
As I said earlier the current 126.96.36.199 beta survived for about 1.2 hours then was completely overwhelmed and broken. The system was taken over and passwords were stolen AGAIN!. This is irritating me so much, that I am thinking I should permanently dropping the XP operating system. The attackers over flowed the buffer, injected EXE code, ran it, obtained administrator access and withing a few minutes had passwords to all accounts and copied all passwords they could find on the machine. While in the chat room they offered me some pringles chips while they looked through my online accounts. I was disturbed at the fact that this firewall could break so easily.
Maybe you could develop EXTENSIVE logging options and support blocking packets INSIDE of tunnels (please please please, there I said it three times!), such as an HTTPS tunnel. I just spent the whole day changing passwords to every account I have. I am glad they were just ahes and not thieves, because they could have done serious damage and caused a lot of grief. After realizing how easy it is to overflow buffers and break a machine in under 5 mins, I now believe it is absolutely UNSAFE to store any passwords on a computer system. They broke a128bit AES encrypted key in under 5 mins, better known as distributed computing. I would like to say that I appreciate the effort on this firewall, it did give me enough time to actually realize what was happening. If this firewall had not been in place, they would have broken this machine almost instantly and would have had access to valuable data and plenty of time to download it.
I get attacked on a daily basis, I would be more than happy to be a top line beta tester. They break into my system weekly. I seem to be a magnet for a group of hackers (even though I love them all).
Contact my email and start a dialog with me. I will allow you to set up extensive logging and donate that information for you to analyze each attack as they come, and even give you VNC access to the system if you need to check things remotely. Consider it my gift to make this firewall a cut above the competition.
As far as the rules go, I had to wipe the system and unfortunately I choose not to save anything from it.
I always use FireFox and Opera, both of these browsers (even in their current form) can be overwhelmed and code injected very easily.
My security settings are always scrutinized. Your not dealing with a noob here, I go into these chat rooms knowing full well that the people on the other end are expert hackers. I expect to be hit, and I always am. I like to watch how they do it so I can learn more about security.
So far I have blocked off every route for them, except I don’t know how to prevent SYN attacks over IP tunnels. My last problem was that the system somehow got infected with an undetectable root kit (its not been recorded in the wild yet). I had to clean the partition tables and boot sectors to make sure no boot strap root kits where in memory.
Still need better logging and support for tunnels and encrypted connections. I would love for it to be able to ignore SYN connections all together if there is a flood detected (this is a must have feature).
Most of the tunnel attacks that I have read about use private addresses such as 172.x.x.x,192.168.x.x, and 10.x.x.x, plus they will also use your very own ip addresse. Your Block All rule should take care of that part but even the best routers can get taken down because the attacks just simply overwhelms the resources available eventually so some of the problem could also be your PC is just simply running out of resources to block the attack anymore.
You might try to google for the range of IP addresses associated with private IP’s and make 4 rules, 3 with the range of each set of private addresses and your very own IP address as the source and then place them at the top of your rules list. A rule of thumb is to put rules that get hit the most first so that less resources are used as the whole list doesn’t have to be read each time those rules are hit.
Another thing is to turn off logging as that takes a lot of resources. Normally on a router you don’t turn off the logging but in this case you said that it was not working anyway so it might help to save valuable resources on your PC.