Hi, I noticed a lot of unusual activity on my broadband modem earlier so I checked my firewall's security log and it had this...
Denial of Service "Ping of Death" attack detected.
Time: 28/02/2008 21:04:35 (occured again at 21:23:58) Security Type: Denial of Service Severity: Major Direction: Incoming Protocol: ICMP (Some other info but I'm not sure if it's safe to list it)
Description: In a Ping of Death attack, the hacker uses a packet with a size that is larger than the normal standard. When your system encounters a packet of this size, it often crashes, hangs, or reboots.
As soon as I saw this I disconnected my internet for 20 minutes as I wasn't sure if my firewall was blocking the attack or not. When I reconnected it the same attack happened again.
Are there any security scans I should do following this?
Also, when I right click on the log for both attacks I get 2 options:
Back Trace Stop All Active Responses
Can you tell me what the latter option does and when it should be used please.
I've checked my firewall's help files but can't see anything about it.
First of all, I need to inform you that some routers (especially those that use active security mechanisms or wireless ones) might trigger false attacks. As an example, let's take a wireless router that has WPA2 and TKIP protection. As TKIP assigns every data packet a separate encryption key, the packets become mutated and might be recognized as attacks.
However, in order for me to make sure this is the case, I will kindly ask you to send me copies of your firewall rules and logs, as well as an "ipconfig /all" output. I highly recommend you email me with these logs at alex_sarchiz@bullguard.com, instead of posting them on the forum. Here's what you need to do:
A. - Go to Start > Run. - Type: cmd - Press the [Enter] key from your keyboard. This will open a command prompt window. - Type: ipconfig /all - Press [Enter] again. - After the Windows IP Configuration is displayed, right click the command prompt window and choose "Select All". - Press [Enter] and close the window. - Create a new e-mail and place the mouse cursor in that new window. - Press the Ctrl+V keys from your keyboard - this will paste the Windows IP Configuration into your email.
B. - Open the BullGuard application and go to the Firewall section. - Make sure the User Level is set to Advanced then go to the Logs tab. - Right click inside the Logs window and select the option "Dump internal rules". - This will create a new log on your desktop called "BgFwRules". - Attach this log to the e-mail that contains the Windows IP configuration.
C. - Right click again inside the Logs window and select the option "Explore logs folder". - Locate the log created for today, in the window that appears. - Copy the log to your desktop. - Attach the log to the e-mail as well then submit the results to me for examination.
As for your other inquiries, here is what the two features actually do:
Back Trace - it traces all packets back to the sender, allowing you to find out sensitive information from the source (such as real IP address - in case of a spoof, real MAC, and so on). Stop all Active Responses - the active response services or rules are a set of preconfigured instructions that will automatically trigger once an attack is detected. Think of it as UPnP for firewall. Using that function will stop all Active Responses from triggering.
If you have any other questions, you can contact us via the forum, Live Chat or email, at support@bullguard.comAlex Sarchiz Senior Support Technician support@bullguard.com www.bullguard.com
Currently it is Tuesday, October 07, 2008 5:40 PM (GMT +2) There are a total of 62.565 posts in 15.604 threads. In the last 3 days there were 19 new threads and 52 reply posts. View Active Threads
Who's Online
This forum has 26666 registered members. Please welcome our newest member, beingwatched. 44 Guest(s), 1 Registered Member(s) are currently online. Details Owen
|