Comodo Help
Find the desired product help
Comodo Endpoint Security Manager

Comodo Endpoint Security Manager

CIS Configuration Guide v 1.6

English

Print Help Download Help
The Custom Configuration Editor > Firewall Overview > Advanced Tasks > Attack Detection Settings
  • Introduction To Comodo Internet Security Configuration Editor
  • Prerequisites To Deploying A CIS Configuration
  • Deploy Preset Configuration
  • The Custom Configuration Editor
    • Firewall Overview
      • Common Tasks
        • My Port Sets
        • My Network Zones
        • My Blocked Network Zones
      • Advanced Tasks
        • Network Security Policy
        • Predefined Firewall Policies
        • Attack Detection Settings
        • Firewall Behavior Settings
    • Defense+ Overview
      • Common Tasks
        • My Protected Files
        • My Blocked Files
        • My Protected Registry Keys
        • My Protected COM Interfaces
        • My Safe Files List
        • My Trusted Software Vendors
      • The Sandbox
        • The Sandboxing Process
        • Sandbox Settings
        • Applications Running Inside Sandbox
      • Advanced Tasks
        • Computer Security Policy
        • Predefined Security Policies
        • Image Execution And Control Settings
        • Defense+ Settings
    • Antivirus Overview
      • Virus Scanner
      • Exclusions
    • Common
      • File Groups
      • Registry Keys
      • COM Groups
    • Miscellaneous Overview
      • Settings
  • About Comodo

Attack Detection Settings


Comodo Firewall features advanced detection settings helps protect the computer against common types of Denial of Service (DoS) attack. When launching a denial of service or 'flood' attack, an attacker bombards a target machine with so many connection requests that the computer is unable to accept legitimate connections, effectively shutting down the web, email, FTP or VPN server. 

  • Click on Attack Detection Settings in Firewall > Advanced Tasks to open the 'Attack Detection Settings' interface.



The Attack Detection Settings area allows to configure the protection parameters in two sections:

  • Intrusion Detection tab

  • Miscellaneous tab



Intrusion Detection tab

Options – Intrusion Detection section

Option

Description

TCP Flood / UDP Flood / ICMP Flood

Flood attacks happen when thousands of packets of data are sent from a spoofed IP source address to a target machine. The target machine automatically sends back a response to these requests (a SYN packet) and waits for an acknowledgment (an ACK packet).  But, because they were "sent" from a spoofed IP address, the target machine never receives any responses / acknowledgment packets. This results in a backlog of unanswered requests that begins to fill up the target connection table. When the connection table is full, the target machine refuses to accept any new connections - which means the computer is no longer able to connect to the Internet, send email, use FTP services etc. When this happens multiple times from multiple sources it floods the target machine, which has a limit of unacknowledged responses it can handle, and may cause it to crash. 

By default, Comodo Firewall  is configured to accept traffic using TCP, UDP and ICMP protocols at a maximum rate of packets per second for a set duration of time. The defaults are for all three protocols are set at 20 packets per second for a continuous duration of 20 seconds. The number of packets per second and the maximum duration that the firewall should accept packets at this rate can be reconfigured to the administrator's preference. If these thresholds exceed, a DOS attack is detected and the Firewall goes into emergency mode.

The firewall stays in emergency mode for the duration set by administrator. By default this is set at 120 seconds. Administrators can alter this time length to their own preference by configuring How long should the firewall stay in emergency mode while the host is under DOS attack? In emergency mode, all inbound traffic is blocked except those previously established and active connections. However, all outbound traffic is still allowed.

How long should a suspicious host be automatically blocked after it attempts a port scan?

Port scanning, a favorite approach of computer cracker, gives the assailant an idea where to probe for weaknesses. Essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed for weakness.

Comodo Firewall detects the most common forms of port scans, alerting the administrator and temporarily blocking and banning the IP address of the scanner, ensuring that they are "cut off" before they can discover any useful information about the system. 

Administrators have the option to configure how long to block incoming traffic from a host suspected of perpetrating a port scan. If a port scan is detected, the Firewall identifies the host scanning the system as suspicious and automatically blocks it for a set period of time - by default 5 minutes. During this time, no traffic is accepted from the host. During these 5 minutes, the suspicious host cannot access the administrator's system but the administrator's system can access it.  

How long should the firewall stay in emergency mode whilst the host is under DOS attack?

When a DOS attack is detected, the Firewall goes into emergency mode for a fixed period of time - set by default to 120 seconds. Administrator can configure the length of time to their own preferences.

Protect the ARP Cache

Checking this option makes Comodo Firewall to start performing stateful inspection of ARP (Address Resolution Protocol) connections. This blocks spoof ARP requests and protect the computer from ARP cache poisoning attacks.

The ARP Cache (or ARP Table) is a record of IP addresses stored in the computer that is used to map IP addresses to MAC addresses. Stateful inspection involves the analysis of data within the lowest levels of the protocol stack and comparing the current session to previous ones in order to detect suspicious activity.

Background - Every device on a network has two addresses: a MAC (Media Access Control) address and an IP (Internet Protocol) address. The MAC address is the address of the physical network interface card inside the device, and never changes for the life of the device (in other words, the network card inside the PC has a hard coded MAC address that it keeps even if installed it in a different machine.) On the other hand, the IP address can change if the machine moves to another part of the network or the network uses DHCP to assign dynamic IP addresses. In order to correctly route a packet of data from a host to the destination network card it is essential to maintain a record of the correlation between a device's IP address and it's MAC address. The Address Resolution Protocol performs this function by matching an IP address to its appropriate MAC address (and vice versa). The ARP cache is a record of all the IP and MAC addresses that the computer has matched together.

Hackers can potentially alter a computer's ARP cache of matching IP / MAC address pairs to launch a variety of attacks including, Denial of Service attacks, Man in the Middle attacks and MAC address flooding and ARP request spoofing. It should be noted, that a successful ARP attack is almost always dependent on the hacker having physical access to the network or direct control of a machine in the network - therefore this setting is of more relevance to network administrators.

Block Gratuitous ARP Frames

A Gratuitous ARP frame is an ARP Reply that is broadcast to all machines in a network and is not in response to any ARP Request. When an ARP Reply is broadcast, all hosts are required to update their local ARP caches, whether or not the ARP Reply was in response to an ARP Request they had issued. Gratuitous ARP frames are important as they update the machine's ARP cache whenever there is a change to another machine on the network (for example, if a network card is replaced in a machine on the network, then a gratuitous ARP frame informs the administrator's machine of this change and request to update the ARP cache so that data can be correctly routed). Enabling this setting blocks such requests - protecting the ARP cache from potentially malicious updates.  

 



  1. To reconfigure the Traffic Rate and Duration of TCP Flood, UDP Flood and ICMP Flood, if necessary, use the corresponding  up / down buttons. 

  1. To block a suspicious host for a particular duration use the  up / down button to set the minutes in the 'How long should a suspicious host be automatically blocked after it attempts a port scan?' field.

  1. To set firewall duration during DOS attack, use the  up / down button to set the seconds in the 'How long should the firewall stay in emergency mode whilst the host is under DOS attack?' field.

  1. Select the respective checkboxes to 'Protect the ARP Cache' and to 'Block Gratuitous ARP Frames'.



Miscellaneous tab

Checkbox Options – Miscellaneous section

Option

Description

Block fragmented IP Datagrams

When a connection is opened between two computers, they must agree on a Mass Transmission Unit (MTU). IP Datagram fragmentation occurs when data passes through a router with an MTU less than the MTU being used i.e when a datagram is larger than the MTU of the network over which it must be sent, it is divided into smaller 'fragments' which are each sent separately. Fragmented IP packets can create threats similar to a DOS attack. Moreover, these fragmentation can double the amount of time it takes to send a single packet and slow down the download time.

Comodo Firewall is set by default to block fragmented IP datagrams i.e the option Block Fragmented IP datagrams is checked by default.

Do Protocol Analysis

Protocol Analysis is key to the detection of fake packets used in DOS attacks. Checking this option means Comodo Firewall checks every packet conforms to that protocols standards. If not, then the packets are blocked

Do Packet Checksum Verification

Every packet of data sent to a machine has a signature attached. With this option enabled, Comodo Firewall recalculates the checksum of the incoming packet and compare this against the checksum stated in the signature. If the two do not match then the packet has been altered since transmission and Comodo Firewall blocks it. Although this feature has security benefits it is also very resource intensive and the Internet connection speed may take a large hit if checksum verification is performed on each packet. This feature is intended for use by advanced administrators and Comodo advise not to enable this feature.

Monitor other NDIS protocols than TCP/IP

This forces Comodo Firewall to capture the packets belonging to any other protocol diver than TCP/IP. Trojans canpotentially use their own protocol driver to send / receive packets. This option is useful to catch such attempts. This option is disabled by default because it can reduce system performance and may be incompatible with some protocol drivers.

 



  1. Select the checkboxes of the appropriate option. 

  1. Click the Restore button to reset all the values if necessary.

 Note: The Restore button is enabled only if there are any changes made in the existing settings.

 

 


Comodo Endpoint Security Manager | © 2010 Comodo Security Solutions Inc. | All Rights Reserved.

 

Terms and Conditions Privacy Policy

© Comodo Group, Inc. 2013. All rights reserved.