| Madhans Firewall (Comodo Firewall install and configure) | |
|
|
|
|
Comodo is a free software firewall.
|
|
|
|
|
How an ICMP flood can affect the working of a Server? How to block DoS attack using Comodo firewall? TCP Flood / UDP Flood / ICMP Flood attacks happen when thousands of packets of data are sent from a spoofed IP source address to a victim's machine. The victim's machine automatically sends back a response to these requests (a SYN packet) and waits for an acknowledgment (an ACK packet). But, because they were "sent" from a spoofed IP address, the victim's machine will never receive any responses/acknowledgment packets. This results in a backlog of unanswered requests that begins to fill up the victim's connection table. When the connection table is full, the victim's machine will refuse to accept any new connections - which means your computer will no longer be able to connect to the Internet, send email, use FTP services etc. By default, Comodo Firewall is configured to accept traffic using TCP, UDP and ICMP protocols at a maximum rate of packets per second for a set duration of time. The defaults are for all three protocols are set at 20 packets per second for a continuous duration of 20 seconds. . If these thresholds are exceeded, a DOS attack is detected and the Firewall goes into emergency mode. The firewall will stay in emergency mode for the duration set by user.
By default this is set at 120 seconds. Users can alter this time length
to their own preference by configuring How long should the firewall stay
in emergency mode while the host is under DOS attack? In emergency mode,
all inbound traffic is blocked except those previously established and
active connections. However, all outbound traffic is still allowed.
|
|
|
What is Port Scan? How to block the hackers who are to trying to do port scan on your server? Port scanning, a favorite approach of computer cracker, gives the assailant an idea where to probe for weaknesses. Essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed for weakness. Comodo Firewall detects the most common forms of port scans, alerting you and temporarily blocking the banning the IP address of the scanner, ensuring that they are "cut off" before they can discover any useful information about your system. Users have the option to configure how long to block incoming traffic from a host suspected of perpetrating a port scan. If a port scan is detected, the Firewall identifies the host scanning your system as suspicious and automatically blocks it for a set period of time - by default 5 minutes. During this time, no traffic will be accepted from the host. During these 5 minutes, the suspicious host cannot access the user's system but the users system can access it. |
|
|
What is ARP cache? How a hacker can attack the arp cache? How to protect the server from arp attacks?
The ARP Cache (or ARP Table) is a record of IP addresses stored on your computer that is used to map IP addresses to MAC addresses. Stateful inspection involves the analysis of data within the lowest levels of the protocol stack and comparing the current session to previous ones in order to detect suspicious activity. Background - Every device on a network has two addresses: a MAC (Media Access Control) address and an IP (Internet Protocol) address. The MAC address is the address of the physical network interface card inside the device, and never changes for the life of the device (in other words, the network card inside your PC has a hard coded MAC address that it will keep even if you install it in a different machine.) On the other hand, the IP address can change if the machine moves to another part of the network or the network uses DHCP to assign dynamic IP addresses. In order to correctly route a packet of data from a host to the destination network card it is essential to maintain a record of the correlation between a device's IP address and it's MAC address. The Address Resolution Protocol performs this function by matching an IP address to its appropriate MAC address (and vice versa). The ARP cache is a record of all the IP and MAC addresses that your computer has matched together. Hackers can potentially alter a computer's ARP cache of matching IP/MAC address pairs to launch a variety of attacks including, Denial of Service attacks, Man in the Middle attacks and MAC address flooding and ARP request spoofing. It should be noted, that a successful ARP attack is almost always dependent on the hacker having physical access to your network or direct control of a machine on your network - therefore this setting is of more relevance to network administrators than home users. |
|
|
Checking this option makes Comodo Firewall to start performing stateful inspection of ARP (Address Resolution Protocol) connections. This will block spoof ARP requests and protect your computer from ARP cache poisoning attacks.
|
|
|
What is "Gratuitous ARP"? When I searched the Internet for the pronounciation of this word, I stepped into an excellent site. Please go to this site for the meaning and pronounciation. you will really enjoy this site. Ok.....mmmm..mm
In gratuitous ARP request message, the source and destination IP are both set to the IP of the machine issuing the packet and the destination MAC is the broadcast address ff:ff:ff:ff:ff:ff. In normal circumstances, no machine will reply to this request. But...... Gratuitous ARPs are useful in the following conditions: They can help detect IP conflicts. When
a machine receives an ARP request containing a source IP that matches
its own, then it knows there is an IP conflict. When the switch receives this gratuitous ARP, it will make suitable modification in its table. Whenever the PC is booted, the PC will send the gratuitous arp. If the ethernet link is down, when the link comes up, at that time also, this gratuitous arp is sent. (If the ethernet cable or the nic is having problem, then that pc will generate lot of gratuitous arp. ). courtesy: wireshark.org .
|
|
Now a question for you..... If you are able to answer correctly, then you have understood the exact meaning of INBOUND and OUTBOUND traffic. Question: Comodo firewall has been installed in your PC and you are configuring this comodo in such a way that ALL INBOUND IP TRAFFIC TO THE APPLICATION "IEXPLORE.EXE" is BLOCKED. (see the configuration screenshot below) Now the question is , if I try "google.com" using the Internet Explorer from the same PC, whether I will google.com or not.
Answer
| | | | | | | | | | | | | | | | | | | | | | | | | You will still get google.com. you have to block the outgoing connection not the incoming. When you type google.com in the browser, the browser will make an OUTGOING CONNECTION not an incoming connection. |
|
|
Now , the second Question for you !!!!!!!!!
In the comodo firewall, you are setting the GLOBAL rules as shown here: Block all outgoing IP traffic
But you are setting the APPLICATION Rules like this: Allow all outgoing IP traffic of Iexplore.exe application.
The question is whether you will get google.com using the internet explorer or not.
go down to see the answer:
still down please.... || | | | | | | | | | | | | | |
Answer: No, you will NOT get google.com. Even though application rules have allowed the traffic, it has to pass through the global rules also. Confused? See the given figure 
Still confused? Dont worry. come to the same place tomorrow and read again. :)
|
|
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment