IDS? IP Spoofing?

zammy · May 11, 2008, 5:00am

hello every1
This is my 1st post and I hope its in right place. Ive a question. Does Comodo block / acts against IP Spoofing attacks. Right now im using Kaspersky Internet Security and for some reasons wana switch to Comodo Anyways I would like to know does IDS system of comodo blocks Helkren.worm etc attacks and IP spoofing, Im gonna post screenshot of Kaspersky Firewall msg

http://img230.imageshack.us/img230/5738/screenva4.th.jpg

Thanks

Zammy

salmonela · May 11, 2008, 6:10am

CPF can “Do Protocol Analysis”, I think this feature of Comodo should be able to analyze IP headers which is key to catch IP spoofing, altho Im not sure CFP can do this (it is not specifically documented in “help” someone more experienced than me should confirm this)

For malware triggered connections and specific ports used in process, you will need to add it by yourself…

zammy · May 11, 2008, 7:21am

what is IP spoofing actually? How does Comodo work against it or can it? Also after seeing Kaspersky screenshot that ive posted which result a person can get? PC is on secure side? PC isnt on secure side? There is chance of breaking in? If according to that msg Attack is blocked but PC isnt this actually means what ?

Waiting for reply

Thanks

Zammy

salmonela · May 11, 2008, 8:06am

Mr. zammy, why you do not search on wikipedia or just google a little for some answers before posting here?
For Kaspersky 7 (does not know on 2009), you have predefined ports which are blocked per worm etc. which uses it, it is not science only thing you should do to have similar protection in CFP is to copy it from Kaspy rules to global rules in CFP (it will be long and dull process).

Also there is many apps. (torrent) which can try to receive through blocked/worm ports but this does not mean your PC is infected.

gibran · May 11, 2008, 10:11am

That alert means that the AV detected the worm not if the packet was spoofed (forged Source IP).

CFP will block automatically inbound connection if no app is listening.
Usually those connections are listed under Windows Operating system in CFP Log.

salmonela · May 11, 2008, 10:59am

That alert means that FW part of Kaspersky blocked connection through port which is predefined by Kaspersky, which can be triggered by any other application not just actual worm.

And yes, that has nothing to do with IP spoofing.

gibran · May 11, 2008, 12:53pm

If KAV only identifies threats by port number then there would be not much concern for intrusion.win.mssql.worm which affects Microsoft SQL Server 2000 and IMHO this identification method is a bad practice.

It would be way better to update the operating system.

zammy · May 11, 2008, 5:12pm

well Im using Vista Ultimate with SP1 and fully updated

gibran · May 11, 2008, 5:53pm

That’s good to hear.

Like salmonela said an AV preventing connections on well-known ports used by malwares could also affect connections not triggered by specific malwares.

Many worms are usually coded after a patch is released and exploit details published so updating the OS and stopping unneeded services will lessen the chances for infection.
mssql.worm it’s a buffer owerflow exploit that target a listening MSSQL service on a machine.

IP spoofing is kinda like email sender forging done by some malwares. In these cases it is done to limit the chances for someone to track the source of the infection.

I wrote poorly my previous post.
Sorry about that.