Unprotected PCs will be attacked instantly


Blue Velvet

Moderator emeritus
Jul 4, 2004
21,652
123
That's really interesting and should be a wake-up call to many people.

But unfortunately, the very people (i.e. my XP-using broadband-subscribing best friends sister & her kids) who would be vulnerable are the least likely to hear anything about this story.

Glad to see the Mac was not compromised. :D
 

AmigoMac

macrumors 68020
Aug 5, 2003
2,064
0
l'Allemagne
as before said: :D

...One I posted about a customer and will tell you again, the guy was never a computer user an heard a lot of good things about internet and music and videos and whatever he could do in the free time, I told him to buy a mac but as always he heard a lot of BS about macs and decided an XP based PC... voilá, bought, plugged, started, connected, less than 3 min he got sasser ... :p it was saturday and he had to wait till monday to find me and organize his PC... good start!
 

applekid

macrumors 68020
Jul 3, 2003
2,098
0
It's still messy how we're getting attacked as nearly much as the XP SP1 machine was. What does it mean?

Sure, the OS X machine was sound even with all of those attacks, but how can those other OSes receive much less attacks?
 

moot

macrumors regular
Jun 30, 2004
170
0
in the great Asian wonderland
applekid said:
It's still messy how we're getting attacked as nearly much as the XP SP1 machine was. What does it mean?

Sure, the OS X machine was sound even with all of those attacks, but how can those other OSes receive much less attacks?
I'm not sure, but I think that some firewalls can hide their PC in stealth mode. So you become sort of invisible to everyone out there.

I think (but dont know) that the standard firewall in OSX doesn't have Stealth. So they can see us and try to get in. But, of course, fail miserably. :D
 

space2go

macrumors regular
Feb 5, 2004
162
0
moot said:
I'm not sure, but I think that some firewalls can hide their PC in stealth mode. So you become sort of invisible to everyone out there.

I think (but dont know) that the standard firewall in OSX doesn't have Stealth. So they can see us and try to get in. But, of course, fail miserably. :D
'stealth' is in Tigers firewall and it is **** (just like on windoze).

As for the number of attacks, they seem to have deducted those the firewall cought as they no longer where an danger.
But then the number for OSX should have been 0 from the start.
Of course a lot of the things those personal firewalls report aren't attacks either.
 

iMeowbot

macrumors G3
Aug 30, 2003
8,643
0
applekid said:
Sure, the OS X machine was sound even with all of those attacks, but how can those other OSes receive much less attacks?
The attack attempts were surely still there (at least the probing will still happen), but the firewall suppressed them.

Really, I think it's just plain stupid to try to connect any computer directly to the Internet these days. At the very least, throw a little NAT router in front, that pretty much eliminates all the attacks of the type described in the article.
 

shamino

macrumors 68040
Jan 7, 2004
3,386
130
Purcellville, VA
Hardware firewall.

An absolute necessity. Even if you only have one computer in your home, buy a cheap gateway router. Otherwise, how are you going to download Microsoft's service packs before the first attack hits?
 

fabsgwu

macrumors regular
May 6, 2003
229
0
Washington, DC
I thought the OS X comes with the firewall on out of the box... I could be wrong, but at any rate, it's very easy to turn on.

nagromme said:
So I assume they set the Mac up WITHOUT using OS X's built-in Firewall? (Macs may ship with ports closed but I've never seen one with the Firewall On out of the box. A simple one-click activation though.)

Related (from August):
http://news.com.com/Study:+Unpatched+PCs+compromised+in+20+minutes/2100-7349_3-5313402.html?part=rss&tag=5313402&subj=news.7349.20
 

Mav451

macrumors 68000
Jul 1, 2003
1,657
0
Maryland
heh, XP SP2 + FF/TB (1.0) + H/W Firewall (e.g. router); I haven't gotten anything.

*knocking on wooden desk here*

However, I am really starting to feel sad for many of my friends who are still stuck on using XP SP1, and some don't even HAVE SP1 (*shock*). Those are the users who are compromised and become zombie machines for the next DDoS attack.
 

redAPPLE

macrumors 68030
May 7, 2002
2,614
2
2 Much Infinite Loops
so, do i now have to activate all firewall options in system preferences? i just activated "personal file sharing" and "itunes music sharing".

others are deactivated.
 

Savage Henry

macrumors 65816
cyberintrusions are fast becoming an ingrained part of the Internet. Compromised PCs fueled a 150% surge in suspicious security activity per machine per day in the third quarter of this year, compared with a year ago
In the olden days you only needed a six month old hard disk copy of a piece of reputable virus software and the ocasional password.

I predict we are just 3 years away from each user will need to submit a DNA test in order for them to write an 'if' statement in Excel!

Personally I HW firewall at home using the AirportEx and I'd have to admit that the one we have at work on the XP boxes seems to be pretty strong.
 

steveh

macrumors 6502
Sep 12, 2002
294
0
redAPPLE said:
so, do i now have to activate all firewall options in system preferences? i just activated "personal file sharing" and "itunes music sharing".

others are deactivated.
Which means that you have just the two open, all the other ports are closed.

The default state with the firewall turned on is closed, you don't have to "activate" a port to close it.
 

mkrishnan

Moderator emeritus
Jan 9, 2004
29,641
12
Grand Rapids, MI, USA
So anyone care to do a FAQ tutorial for me? I looked around for information on how to set up the firewall in the AEBS for good security and I just have no idea what I'm doing. I've got my OS X firewall going, but I'm not sure exactly what the AEBS is doing.... :(
 

granex

macrumors member
Jul 23, 2002
82
0
fabsgwu said:
I thought the OS X comes with the firewall on out of the box... I could be wrong, but at any rate, it's very easy to turn on.
Just got a new iMac G5 (which is great, by the way) and the firewall was definitely off. I was a bit surprised, but then turned it on. It does block Airtunes and such without a bit of tweaking, so maybe they thought it was better to have almost all of the ports turned off rather than having a general firewall running. (You can easily enable the iTunes related network activity, by the way).

I have hardware firewall and the software firewall set up, and I'm running a Mac, so I'm feeling pretty safe at the moment. My son recently destroyed our five year old home PC with adware that brought on a virus that brought in more adware. We were moving to a Mac anyway, but this helped us feel much better about it (it will also provide a hammer to crush any game compatibility whining). My current greatest fear is that my 75 year old father in law is going to come down with this crap and I'm going to have to help him fix things from 1,500 miles away.

Apple doesn't want to tout this too hard because of the hubris and because there isn't enough wood at 1 Infinite Loop to keep everyone within close knocking distance. Word of mouth on security together with the iPod mania is generating a great wedge for Apple. At work, I had to decide with buying a couple of new Dells or moving stuff over to Macs. The security side of things finally swung me over to Macs. (I should say back over, as I was an original Macintosh 128 user and a Mac+ owner).
 

shamino

macrumors 68040
Jan 7, 2004
3,386
130
Purcellville, VA
mkrishnan said:
So anyone care to do a FAQ tutorial for me? I looked around for information on how to set up the firewall in the AEBS for good security and I just have no idea what I'm doing. I've got my OS X firewall going, but I'm not sure exactly what the AEBS is doing.... :(
The best way to explain how to set this up is to give a small lesson on what these routers actually do.

Most gateway routers (and I assume AEBS is similar) use NAT (Network Address Translation) to allow everybody on your home LAN to share a single internet connection. In this configuration, the router's WAN port is configured with your ISP-assigned IP address. Typically this is by running a PPPoE or DHCP client, but manual configuration is usually also possible.

The LAN-side of the router (including the wireless port) typically works entirely with IP addresses from RFC 1918 private address space. Commonly, the address block 192.168.1.* is used, although some vendors are different and the choice of address block is sometimes configurable. One address will be reserved for the router itself (192.168.1.1 on mine), one for a local-broadcast address (192.168.1.255 on mine) and the rest available for hosts (192.168.1.2 through 192.168.1.254 on mine.) You may either statically configure the hosts for particular addresses or you may set up the router to act as a DHCP server that can dyanamically assign addresses to your hosts.

When computers on your LAN send packets to the WAN (which is normally the internet) the router rewrites the addresses in the IP header so everybody on your LAN appears to be using the same (ISP-assigned) IP address. Obviously, if you have more than one computer, the router needs to remember which of your hosts intiated each connection, so it knows where to deliver the incoming packets for those connection (since they will all be sent to the same ISP-assigned address.) It does this by snooping all the TCP control messages and maintains a table of LAN-side address/port combinations that map to WAN-side address/port combinations. This table is updated every time a TCP connection is created or destroyed.

Now, if a packet arrives from the WAN and there is no matching entry in this table, the packet is discarded. The router has to do this, because it has no way of knowing which host on your LAN to send it to.

This simple fact (the previous paragraph) is what makes plain old NAT a reasonably good firewall. Attempts by computers on the internet to intiaite connections with your LAN will always fail, because the router has no mapping table entry to know what to do with those packets.

Of course, the real world isn't quite as simple as this.

Some protocols (like active-mode FTP) request the remote site to initiate a connection to you. When you give a "get" command, your host starts listening on a port, and tells the remote node to create a connection to that port. This obviously won't work with NAT in the way, because there is no mapping for that incoming connection, and NAT is going to change the port numbers. One workaround (in this example) is to use passive-mode FTP, which has the local host creating all connections. Another is that the router can have some application-specific knowledge about the FTP protocol, snoop the FTP control-channel packets, rewrite some of them, and add/remove mapping entries.

Modern routers have application-specific knowledge for a variety of common protocols. This is not normally a security breach, because these mapping are only created in response to requests from computers on your LAN, which is usually considered a trusted source.

Now, if you're running a server (say, a web server) on your LAN and you want to allow the internet to connect to it, you obviously need a mapping to allow those connections. Something that will map a WAN-port (80 for web servers) to LAN-port 80 on one of your local hosts. You can usually configure these through the router's setup utility. Every mapping you create, however, is a potential security hole, so you want to make sure you only create them for services that you explicitly want to make available to the internet. And you want to make sure the server software is kept up to date with all of its latest security patches.

Obviously, if you configure your own port mappings, you need to configure a static LAN-side IP address on the computer. Otherwise that computer's address may change to something incompatible with the mapping.

Recently, a spec called Universal Plug-N-Play (UPNP) was invented to allow LAN-side servers to use dynamic addresses. With this spec, the computer's operating system can direct the router to create port mappings when server software starts listening for connections. IMO, UPNP is a big security hole. I make a point of disabling it on my routers.

FWIW, here's my home LAN configuration. I have one (and only one) port mapping on my firewall. I map WAN-port 22 (SSH login) to my Mac's port 22 so I can do a remote-login from work. On the computers themselves (there are six nodes on my LAN), I don't run any firewall software. This way, the computers can freely access each other, but none can be accessed from the internet.

As long as I keep my SSH server up to date with the latest security patches (which Apple is pretty good about updating), the result is a LAN secure from external break-in. (Of course, a firewall does nothing about virusses/worms received in e-mail. But a firewall is only supposed to be one piece of a security solution, not all of it.)
 

mkrishnan

Moderator emeritus
Jan 9, 2004
29,641
12
Grand Rapids, MI, USA
Shamino, thank you so much! I knew some, but not all of what you wrote, and you did a really nice job of making it understandable. :)

So if I can mooch a few more questions :p, I still don't quite understand a couple of things. Right now I have my AEBS in DHCP+NAT mode, and I have not input *any* port mappings on the server myself. Am I correct that all of these port mappings refer to LAN-incident transmissions, that is, ones that come from the WAN into the LAN? Is the AEBS set up so that if I do not manually create these port mappings, no activity can be initiated from outside the LAN? So does this mean it's basically in a fairly high security mode from the start?

Regarding ports that let LAN-incident transmissions through, such as an FTP or telnet initiated from the WAN, it seems like I want to have this kind of protection in the hardware firewall, since there are other devices on the network, like my ReplayTV, which do not have software firewalls, and I do not have any kind of service where I need to initiate from the WAN (well, at some point I'm curious to see if I can gateway into the LAN and access the replaytv from out of home using DVArchive, but.... :D ). So for traditional home stuff that's all initiated in the LAN and not the WAN, do I basically not need any ports open at all?

And is it correct to think of the hardware firewall security overriding the software, in the sense that even if a port is setup to accept an incoming transmission on the software firewall, if the hardware firewall blocks it, it will never get to the computer? (Unless of course it starts in the LAN)

One last question. On my PC, I used ZoneAlarms, and one nice feature it had was to notify me whenever a previously unauthorized program tried to send an internet transmission. Mostly this caught spyware. Well, that PC is clean now, and uses Firefox :) so that issue is mostly gone. But is this kind of thing very necessary on MacOS X? I guess there isn't that much spyware out there....