Sunday 25 April 2010

What is "ping", and what does its output tell me?


Summary: One of the oldest diagnostic tools, ping simply validates connectivity from point A to point B and doing so provides additional useful information.

Sometimes when I search for solutions for my home networking problem, I frequently see some people suggesting that I ping my PC by IP and/or by computer name. What does PING command actually do? What's the point of using this command? How do we read and understand the results (sent, received, and lost) of the packets?
Ping is perhaps one of the oldest and most basic network diagnostic tools. In concept the tool is very, very simple: it sends out an "are you there?" kind of request, and expects to hear back a "yes, here I am!" kind of response.
Very basic, very simple, and yet very powerful as a first line of network diagnosis.

The ping command runs in a Windows Command Shell (or a Linux/Mac/BSD/Solaris/etc. terminal window - it's a very ubiquitous command), and has a very basic syntax at it's core:
ping domain_name
For example, if you open up a command window and type in "ping google.co.in", you'll see something like this:
[C:\]ping google.co.in

Pinging google.co.in [209.85.231.104] with 32 bytes of data:

Reply from 209.85.231.104: bytes=32 time=111ms TTL=50
Reply from 209.85.231.104: bytes=32 time=101ms TTL=50
Reply from 209.85.231.104: bytes=32 time=96ms TTL=50
Reply from 209.85.231.104: bytes=32 time=99ms TTL=50

Ping statistics for 209.85.231.104:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 96ms, Maximum = 111ms, Average = 101ms
"the tool is very, very simple: it sends out an 'are you there?' ... and expects to hear back a 'yes, here I am!'"
There's a lot of information here, and I'm not going to get into all the geeky details, but here are some of the basic, and important things that ping does:
  • "Pinging google.co.in [209.85.231.104]" - Ping only pings IP addresses so the first thing it did when I asked it to ping "google.co.in" is it looked up the corresponding IP address. This is perhaps one of the quickest ways I know of to determine the IP address associated with a domain. Also, if this look-up fails, you'll know that there's a typo in the domain name, or the domain name look-up (DNS) is failing for some reason.
  • "Reply from 209.85.231.104:" - this tells you that the remote server at that IP address replied, obviously. What that means, though, is that the entire route across the internet, from your machine through routers and switches and networking equipment and whatever else, worked. As did the return path carrying the server's reply. If this fails, ("timed out") then something along the connection between you and the server might be broken, the server might be off line, or the server might not even exist. It's also possible that the server is explicitly configured not to respond to ping requests.
  • "time=101ms" - this is the round trip time; the time between sending the "are you there?" and receiving the "yes I am!". In this case, 101 milliseconds. Since the ping is repeated several times you can see that this time is fairly consistent, which is good. The time will vary depending on many factors including how close you are to the remote server, how many routers and other networking equipment are in between you and that server, and more. In the example above, the ping was from me in the Seattle area to the google! server housed in India. A quick test of a ping to a server in Japan resulted in times twice as long.
  • "Sent = 4, Received = 4" - one of the things that TCP/IP is designed to deal with is packet loss. Ideally, every packet you send should get to where it's going, but for various reasons that doesn't always happen. As long as the packets can get there after a retry or two, in normal usage you'd never notice. Ping sends multiple packets and reports specifically on the success rate, so that you can see if a particular connection is prone to packet loss.
  • "Approximate round trip times" - while on average the same kind of packet sent to the same destination should take roughly the same amount of time, that's also not always the case. Sometimes for reasons as diverse as the equipment and paths that the packets take, some take longer than others. Ping reports these statistics so that you can see if a particular connection is prone to this type of problem.
Ping also includes several options (type "ping -?" for a list), but the simplest use as above is probably the most common.
There's one usage that is not intuitive, and yet something I use all the time. As you've seen above, ping can be used to quickly translate an domain name into its corresponding IP address (i.e. "google.co.in" into "72.3.133.152"), but it can also do the reverse:
[C:\]ping -a 72.3.133.152

Pinging pugetsoundsoftware.com [72.3.133.152] with 32 bytes of data:

Reply from 72.3.133.152: bytes=32 time=67ms TTL=47
...
Using the "-a" switch to ping, and giving it an IP address, ping does what's called a reverse lookup and displays a domain name that is assigned to that IP address. This is very handy at times since many IP addresses are also assigned fairly descriptive domain names.
Note: in the example above you'll see I used the IP address for "advcomp.co.cc", and yet ping reported that IP as being "google.com". This is simply because any single IP address can be assigned any number of domain names, so ping just reports the first one it finds. For a more complete list of domain names associated with an IP address you'll need to use a service like MyIPNeighbors, which given an IP address will list the domains that share that IP address, and likely all reside on the same server.
Aside from a quick tool for DNS and reverse-DNS look-ups, ping is most commonly used simply to verify basic connectivity between two machines. The ping service is typically one of the first, and simplest services to be loaded onto a server, and runs independently of any other. It's not uncommon at all for a server who's websites are inaccessible because of a software problem to still respond to a ping. That typically helps determine that there's not a connectivity problem, but rather a problem on the server itself.
It's also worth noting that some servers actively disable responding to ping requests for assorted security related reasons. For example, even though the server is most definitely up and running, you typically cannot ping "microsoft.com", but on the other hand you can ping "google.com". In fact, pinging a site like "google.com" or "yahoo.com" is often a quick way to ensure that your own internet connection is, in fact, working.
Posted by at No comments:
Labels: , ,

How can I tell if my computer's been accessed by someone else, and how do I prevent it?


Summary: Internet security is normally about keeping us safe from the internet - but what if the risks and threats are in our home and on our own local network?

How can I tell if my flatmates have accessed or are accessing my computer? We have a BT homehub and we share the connection wirelessly, but I have the Norton firewall on. I don't know if the firewall only protects my computer from the intruders outside our network. I've heard it's easy for other people sharing the same wireless network to sneak into each others' computers. How is it done and how can I prevent it?
Let's see, you're worried about outside intruders accessing your system, you're worried about your privacy, and you're worried about your wireless connection.
What you've just described is the internet itself but just on a smaller scale.
It should be no surprise then that many of the concepts that used to protect ourselves from the people we don't know out on the internet would be used to protect ourselves from the people we do know sharing our internet connection.
In most cases I don't recommend a software firewall in addition to a hardware firewall such as a router. Normally you can draw the line of trust at the shared connection to the internet that the router provides. Everything inside of that line can be trusted. Everything outside of that line? Not so much.
In this case, however, you don't trust the people that share your internet connection. That's a very valid assumption and often a good one to make.
In a case like this you pretty much have to treat your connection as if your machine were connected directly to and sitting naked on the internet.
In other words, turn on that firewall on your machine. It places the line of trust at your machine's network connection; everything outside of your machine is not trusted. That means it should protect you from everything that might come in from the internet, of course, but also anything attempted by any of the other machines on your local network.
With the firewall on, you're not done. You still need to take all the normal precautions for internet safety and keeping your machine safe.
"Remember: if your machine isn't physically secure then it's not secure."
But there's still more.
Remember: if your machine isn't physically secure then it's not secure. Can your roommates walk up to your machine and access it when you're not around? It's not secure. Can they insert a boot disk and reboot the machine? Then it's not secure. Can they unplug your keyboard and insert an inconspicuous device that might log your keystrokes? Then your machine is not secure.
In terms of security if any of those are true you're at risk. How much of a risk is a determination only you can make, but at least be aware of it.
And then there's the wireless connection. If the access point is "open", meaning that no WEP or WPA password is required to establish a wireless connection, then even with all the security we've talked about so far your wireless communications can be sniffed. That means everything you're doing on the internet could be monitored. With an open Wifi access point it's exactly like being in a coffee house open Wifi hotspot: anyone could be listening in.
And finally, if all that weren't enough, who controls the router? Whoever has access to the router could be using it to monitor your traffic as well. Or worse, depending on the capabilities of the router.
It's all pretty scary, isn't it?
I certainly don't want to make things seem worse than they are. Much of your real risk depends on your roommates technical expertise (or access to others with that expertise), as well as just how much you trust him or her.
And to finally answer your first question: sadly there really isn't a practical way to determine if your computer has been accessed. Prevention is the only pragmatic way to address the risk. Certainly if your computer is modified in some way by malware that can usually be detected by the appropriate scanners, but if someone simply copies or views a document there's no reliable way to tell.
So figure out how much you trust the other people on your network and/or living situation and take action accordingly.
But I'd certainly leave the firewall turned on.
Posted by at No comments:
Labels:

How do I make sure that Windows is up-to-date?


Summary: You can make sure that Windows is up-to-date by either enabling Automatic Updates or by visiting the Windows Update web site.

How do I make sure that Windows is up-to-date?
It seems like every week there's news about some newly discovered vulnerability or bug fix in Windows. And of course the stories tell us that we should all rush out and install the fixes immediately or the world will come to and end.
Or something like that.
In fact, Microsoft does announce updates weekly. With that rapid a rate, how should you stay on top of things and make sure that your system is up to date?
There are several options.
Microsoft provides a service that runs on your machine and - on terms you control - automatically checks for Windows updates. Once found, it can then download and install them for you.
The specific labels vary slight across Windows versions, but to configure automatic update click on Windows Update in the Windows Control Panel.
In Windows 7, this is the Windows Update options dialog:


You have four basic options controlling how Automatic Update works:
  • Never check for updates - as you might expect this basically turns the Automatic Update feature off.
  • Check for updates but let me choose whether to download and install them - with this setting, Windows Update will only check the Microsoft site for updates, and if there are any that apply to your machine, it will alert you, and nothing more. You can then choose to download and install, or not.
  • Download updates but let me choose whether to install them - with this approach, Windows Update will check the Microsoft site for updates and actually download any that apply. Once downloaded, you're notified that they're available and can initiate the install at your convenience.
  • Install updates automatically - finally, you can just have Windows Update do it all, on a schedule you can define. Check, download, and install as soon as updates are available. (Note that depending on the updates you receive, your machine may be rebooted as part of this process.)
In Windows 7 you can also control whether or not the process should include both important and recommended updates, or just important. (You can still receive important and other updates by visiting the Windows Update web site, which I'll discuss below.)
Windows 7 also allows you to specify that all users can install system updates via Windows Update, and wether or not Windows Update should also update other Microsoft software on your machine (aka "Microsoft Update" as opposed to just "Windows Update").
For what it's worth, I like to know what's happening to my machine(s) before it happens so I typically select the "Download, but let me choose" option.
Many people find the concept of Automatic Updates a little too spooky or intrusive. Others just want to have even more control over exactly what happens when. And of course there are folks who are using older versions of Windows.
For all these people there's the Windows Update web site.
The first time you visit Windows Update, it'll download a component onto your machine that handles the inspection of your current Windows versions. That list is then compared against the latest releases and you'll informed of the differences. You can then select which components to install.
Posted by at No comments:
Labels:

So do I need the Windows Firewall or not?


Summary: You do need a firewall and particularly if you aren't behind a router the Windows Firewall is one option.

I'm really confused. With the new Windows XP SP2 Security Alert System, do we still need a firewall to stop outbound traffic? If we get a router, (LINKSYS), does that take care of everything, which means we need to disable Windows Firewall to avoid false alarms?
There's a lot of misunderstanding about firewalls, routers, and other security software. When Windows XP service pack two was released it definitely put security and particularly the firewall, "in your face". Subsequent releases of Windows now also include the firewall and turn it on by default.
It's a great opportunity to find out what you need ... and what you don't need.
A firewall filters network traffic. A previous article "What's a firewall, and how do I set one up?" covers this in more detail, but the bottom line is that a firewall primarily protects you from certain classes of incoming network-based problems.
"If you're not behind a router or other firewall, you'll want to turn on the Windows firewall."
Every computer should be behind a firewall of some sort.
In general, hardware firewalls, typically provided by NAT routers, keep malicious network traffic from ever reaching your computer, whereas software firewalls, such as the Windows Firewall, discard malicious traffic after it has actually arrived at your computer.
But you don't need both.
If you have a router with network address translation, or NAT, enabled (most consumer grade routers do, by default) then there's no need to enable the Windows firewall. In fact, you can tell the new Windows Security Center that you'll manage your firewall yourself.
If you're not behind a router or other firewall, you'll at least want to turn on the Windows firewall. This is what I do when I take my laptop with me on the road - not being sure of exactly what I'm connecting to, the firewall protects me from network based threats.
Now, one word in the original question is worth a comment: "outbound".
Consumer grade routers will keep you safe from threats that are incoming from the network, but will not filter or warn you of any malware already on your machine attempting to connect out. The Windows firewall has a limited amount of outbound traffic alerts, and other software firewalls that you can install separately to use instead of the Windows Firewall can be configured with a wide array of outgoing protection.
There's a wide variety of opinion on this, but personally, I'm quite happy simply behind a router and with no outgoing threat monitoring.
But regardless, you do need a firewall; be it an external router, a software package that you install, or at a minimum simply enabling the Windows Firewall already present on your machine.
Posted by at No comments:
Labels:

What's a firewall, and how do I set one up?


Summary: A firewall is critical to keeping your internet connected computer safe. We'll review what a firewall is and the two different types of firewalls.

I keep hearing the term "firewall" and how I need one when I connect my computer to the internet. What's a firewall, why do I need one and how do I set one up?
The bottom line is that a large class of viruses and other types of malware can be prevented simply by using a good firewall.
What's a firewall? Well, in your car it's the "wall" of metal behind the dashboard that sits between you and the engine. Its purpose is to prevent engine fires from roasting you and your passengers.
A firewall for your computer is much the same - its purpose is to keep you from getting burned.

A firewall is at its core very simple: it blocks or filters certain types of network traffic from reaching your computer.
"A firewall is at its core very simple: it blocks or filters certain types of network traffic ..."
What do I mean by "certain types"? There's network traffic you do want to reach your computer: like the pages of web sites you visit or the software you might download. And then there's other traffic you might not want like malicious people or computers trying to access your computer remotely or viruses and worms trying to infect your machine.
A firewall knows the difference. It lets the good stuff in and keeps the bad stuff out.
Firewalls can also usually be configured; they can allow you to say "this kind of connection from the outside is OK". A good example is remote desktop. A firewall may by default block any attempt to connect via remote desktop. But you can also configure the firewall to allow that type of connection to come through. Doing so you would be able to access your computer from another computer, be it across the room or across the internet. But even though you've allowed one type of traffic - remote desktop - other types of traffic like certain types of viruses are still blocked.
Some firewalls will also monitor outgoing traffic for suspicious behavior.
One characteristic of many viruses is that once you're infected they attempt to establish connections to other computers in order to spread. Many software firewalls will detect and either warn you or simply prevent those attempts.
And that leads to a very important distinction. There are two types of firewalls: hardware and software.

  • hardware firewall is just that - a separate box that sits between you and the internet that performs the filtering function. Traffic that is filtered out never even reaches your computer. Even the least expensive broadband router can perform the function of a firewall quite nicely. The downside for a hardware device is that most will not filter outgoing traffic.

  • software firewall is a program that runs on your computer. It operates at the very lowest level, as close to the network interface as possible, and monitors all your network traffic. While all network traffic still reaches your machine, the firewall prevents malicious traffic from getting past it and on to the operating system. The firewall prevents your system from actually noticing or doing anything with malicious traffic.
The good news is that all versions of Windows after XP have a software firewall built in, and all versions after Windows XP SP2 have it turned on by default. In fact, the security center will take steps - perhaps even annoying you in the process - to ensure that the firewall is either turned on or that you're aware of the risks in not having it turned on.
The bad news is that a firewall can't protect you from everything. A firewall is focused on protecting you from threats that arrive via malicious connection attempts over the internet. A firewall will not protect you from things you invite onto your machine yourself such as email, attachments, software downloads and removable hard drives.
But even so, protecting from those network threats is important.
In general, I recommend a hardware firewall such as a broadband router and leaving the Windows firewall turned off. However, regardless of your approach, be it a router, be it the Windows firewall, or be it some other software or hardware solution, some kind of firewall is always a necessary part of keeping your computer safe when connected to the internet.
Posted by at No comments:
Labels:

Does my router have a firewall or not?


Summary: Most routers both do, and do not, have a firewall. The good news is that the protection offered by a router's firewall is often exactly what you need.

I purchased and installed a broadband router. Specifically, a wireless Linksys WRT54G. I thought this provided a firewall and I had planned to uninstall Norton Systemworks which is giving me problems. However, the router does not appear to include a firewall. It does not need any sort of configuration like Norton, such as sites to let through or to block. I have looked all through the documentation and no mention of a firewall.
Did I buy a model without a firewall or was I mistaken about a router including a firewall?
Your router does, and does not have a firewall.
And I totally understand that this is confusing.
I'll try to clear it up...
One of the things that your router does is allow you to share your internet connection. By that I mean you can take a single internet connection that's designed to connect to only one computer, add a router, and then through the router connect several computers who can then use that single internet connection.
The way this happens is that your internet IP address, which is used to route data to you when you surf the internet, is assigned to the router instead of a computer. The router then assigns local IP addresses to each of the computers you have connected to it. The router then also takes care of making sure that the data sent to and from the internet is routed to and from the correct computer on the local network.
"... computers on the internet are completely blocked from connecting to computers behind a router."
One side effect of this approach, called Network Address Translation, or NAT for short, is simply this: no computer from outside your local network can initiate a connection to a computer on the inside of your local network.
Put another way: computers on the internet are completely blocked from connecting to computers behind a router. (You can create exceptions, of course, using something called "port forwarding" and/or "DMZ" settings in the router configuration.)
In this regard, the router is acting like an inbound firewall. In fact, it's acting so much like one that we simply refer to it as being a firewall.
Now, in the strictest sense, your router is not truly a firewall. Two key components are missing:
  • Your router does not attempt to block any outgoing connections or data. A true firewall will typically examine outbound connections as well as incoming. In fact, a great deal of the configuration you referred to in your question is typically defining to a firewall exactly who on your computer is allowed to make an outboundconnection.
  • Your router does not inspect the data that's routing, other than to make sure it's headed to the correct computer. Firewalls are often configurable to the extent that you can allow not just certain types of connections, but also allow, or block, certain types of data over those connections. In the extreme a firewall could actually incorporate anti-virus checking and block anything that was found to be carrying a virus.
So in that regard your router is not a true firewall.
So what do you need?
In my opinion: if you can trust all the computers on your local network, a NAT router provides 99.9999% of what you actually need in a firewall. Blocking external threats is by far the single most important role of a firewall these days; so much so that every one should have some kind of firewall, no matter what.
In my opinion a software firewall is simply not needed in this case. Blocking outgoing traffic sounds important, but in reality, if you have outgoing traffic that needs to be blocked, then either you need to change your system's configuration not to try to do whatever it's doing, or you are already infected with malware. In the later case, it's too late. The firewall did not prevent you from getting infected. At best it might have prevented you from infecting someone else, but even that is suspect.
Now, you'll notice I emphasized the phrase if you can trust all the computers on your local network. That's the one exception to the "software firewalls not needed" guideline. For example let's say you share your computer connection with your children who don't understand internet safety and are constantly getting their computer infected. In a case such as this, where you cannot trust some other machine that shares your local network with you, then you probably do need a firewall to protect you. And let's be clear; that firewall is not to protect you from the internet -- your router does that -- but from that other machine. And once again, what really matters here is blocking unwarranted incoming connections. As far as I'm concerned if the firewall lets you disable monitoring of outgoing connections, you can.
So if you're in that "safe" situation, then yes, in your shoes I would uninstall that software firewall and rely on the protection of my NAT router.
In fact, that's exactly what I do here at home.
Posted by at No comments:
Labels:

Do I need a firewall, and if so, what kind?


Summary: Firewalls are a critical component of keeping your machine safe on the internet. There are two basic types, but which is right for you?

I keep hearing about "firewalls" for my computer and that there are different types. Do I need one? If I do, what kind of firewall do I need?
The very short, very easy answer is: hell yes! Absolutely, positively you need a firewall.
With all that happens on the internet these days it's simply too risky to let your computer sit "naked" on the internet unless youreally know what you're doing.
The real question is then: what do you need?
Heck, it's even possible you already are behind a firewall and don't need anything more.
Realize that a firewall is about protecting you and your computer from them where "them" means "the malicious folk on the internet".
A correctly configured incoming firewall does not block your access out to the internet. You should be able to browse the web, for example, without interruption. The firewall prevents access from somewhere on the internet toyour computer. That's not to say people can't send you email; they can because you access your mail through the internet by going out to get it when you download it. It does mean that people can't copy files directly to your PCor cause programs to be run on your machine remotely.
"... it's simply too risky to let your computer sit 'naked' on the internet unless you really know what you're doing."
Step one is to check with your ISP. Some actually do provide a certain amount of firewalling. AOL, if I'm not mistaken, is a fairly good example: they've set up their own private network and internet access is tightly controlled. The good news is that you may be well-protected. The bad news is that you have no control over it.
Most ISPs, however, do not provide any kind of firewall. What you get from them is a direct connection to the internet. That gives you the most flexibility and control but it also places the burden of protection in your lap.
The next question is do you need a hardware firewall - an additional device you place between your computer and your internet connection - or a software-based firewall - a program that you install on your PC?
In my opinion, if you connect via broadband such as cable or DSL then there's no question at all: broadband routers are inexpensive and act as firewalls providing an exceptionally high level of protection quite literally right out of the box. They're typically easy to set up and also have the flexibility to be carefully configured for more advanced uses such as running a web server from behind your firewall. I like the hardware approach because the routers are devices dedicated to their task and do not interfere with - nor can they be compromised by - your computer. You can read more about routers and how I'd set up a home network. Remember, a router will work just fine even if you have only one computer.
If you are on dialup or have some other reason for not wanting to go the hardware route there are software firewalls as well. In fact, Windows XP, Vista and 7 all include one by default. Even if you do nothing else and you're not sure what you really want to do, you should simply make sure that the Windows Firewall is turned on. Check in the "Security Center" in Control Panel.
There are many other popular firewall packages, though I typically recommend against all-in-one "Internet Security Suites" as provided by many manufacturers. Instead, a dedicated firewall such as Comodo or others might be well worth investigating.
One of the biggest differences with software firewalls, particularly third party offerings is the ability to provideoutbound protection. As I said above, a firewall's primary job is to protect your computer from internet based threats. However, if you've been compromised an outbound firewall will often prevent the attack from spreading from your computer to others, and will alert you when something suspicious has happened. While I don't typically view an outbound firewall as absolutely necessary, it's another part of the puzzle that's at least worth considering.
Finally, when you believe you're protected or even if you know you're not visit Gibson Research and run "Shields Up", a vulnerability analysis. It will try to access and analyze your computer from the internet and will list for you exactly how you are vulnerable. It tends to be a tad alarmist in its wording, and getting a perfect score is almost impossible, but it's valuable information to help you decide if you need to take additional steps.
Posted by at No comments:
Labels: ,

Is an outbound firewall needed?


Summary: Many software firewalls will alert you on suspicious outbound connections. The biggest problem is that if correct, by then it's too late.

Isn't an outbound firewall really important in many situations? I deliberately installed a free version of a key logger on my system and ran thorough scans through my anti virus and anti spyware programs. But the running key logger wasn't detected even though the key logger icon was right there in the system tray.
You have said that when an outbound firewall stops something it is already too late. But don't you think outbound firewall might stop a key logger from at least sending logs to an email or remote computer? Or would it not?
A firewall with outbound detection can have a place, I suppose, but you've captured my thoughts already: if it finds something to detect, then it's too late.
Let's review what it means to be an outbound firewall, why I don't value them all that much, and perhaps why your key logger wasn't detected.
Firewalls protect you from the certain classes of bad things out on the internet.
Note that's "protect you from them". That implies that the primary function of a firewall is to prevent bad stuff "out there" from reaching or affecting your computer.
My preference is to use a hardware device such as a router with NAT (Network Address Translation) enabled. This does an incredibly effective job of hiding your computer from outside access. You can connect out, but outside computers cannot initiate a connection without your having explicitly configured your router to allow it.
Using a router also takes the burden of that work off of your computer. In fact, a single router can act as a single effective inbound firewall for all the computers that are connected behind it.
An "outbound" firewall looks for threats originating on your computer attempting to connect out to the internet. In a sense, it's "protecting them from you". While that may be very generous of you to protect everyone else from your computer, the real difference is that it will presumably block and more importantly tell you when something suspicious is happening so that you can take corrective action.
"My preference is to use a hardware device such as a router with NAT ..."
Outbound firewalls have several shortcomings, both technical and conceptual:
  • It's too late. As you pointed out, if an outbound firewall detects something that is, in fact, malicious in nature it's because your machine is already infected. Something in your inbound defense failed and your machine has acquired some form of malware. Yes, I suppose it'd be nice to know, but in fact those very inbound defenses - firewall and anti-malware scanners - should have already either prevented or detected the problem. With adequate inbound protection, an outbound firewall is redundant.
  • It's intrusive. Outbound firewalls are only practically available as components of software firewalls that you install on your machine. As such, these firewalls take up additional resources to do their job. Rather than do that, a router will give you the inbound protection you need without taking up additional resources on your machine.
  • It's frequently wrong. One of the very common complaints about outbound firewalls are warning messages that are either incomprehensible, overly frequent, or don't give the average user enough information to make an informed decision. Frequently, they'll simply report a connection attempt to or from an IP address with little or no additional information. I also commonly see people asking about warnings that arise from totally legitimate processes on their machine accessing the internet for things like software updates or the current time and date. With too many errors, indecipherable messages or false positives, people tend to ignore the warnings after a while, rendering the outbound firewall ineffective.
Now, don't get me wrong: software firewalls do have their place. In particular, when traveling and using open WiFi hotspots I'll absolutely turn on the built-in Windows firewall. Software firewalls are also a good choice if you have no router, or if you cannot trust the other computers that share your router. But in either case that's for the firewall's incoming protection against external threats, not the outgoing.
Is there a case for an outgoing firewall at all? Many experts will disagree with me and say absolutely, that they add a lot of value and that the issues I've raised are simply off target or over-stated. But I remain of the opinion that if an outgoing firewall is, in fact, adding value it's because your incoming protection is inadequate. If you're going to focus additional energy and resources at becoming more secure, I'd much rather have you focus on preventative solutions rather than solutions which will only kick in after it's too late.
Now, about your key logger.
My first reaction is that if it's showing up in the system tray I'm not sure I'd classify it as malware. It's open about what it's doing, and easily visible. A key logger isn't in and of itself necessarily malware - there are many legitimate uses for the technology. So part of my reaction is that I'm not really surprised that it wasn't detected as malware, because it's not behaving like malware.
But lets assume that you did get infected by a truly malicious key logger - one that was attempting to hide, and send all your keystrokes to some overseas hacker. Well, at the risk of repeating myself too many times: it's too late. Your machine has been compromised, and you can no longer trust it; and that includes trusting your firewall. Yes, your outbound firewall might block the transmission - or it might not. The malware could, in fact, include additional code to actually reconfigure your firewall to let the malware's communication through. It's been done.
This is almost worse than having no outbound protection at all. With the outbound firewall you might think you're protected, but in fact you're not. Without an outbound firewall, you know, and you know to focus your efforts on inbound protection to avoid the problem in the first place.
Like I said, I know that others will disagree with me, and I'm sure there'll be some compelling cases made in the comments.
But I'm not convinced, and outbound firewalls are not something I use or advise.
Posted by at No comments:
Labels:

How should I set up my home network?


Summary: Once you add a second computer, you're faced with setting up a network, at least to share the internet connection. Here are some general guidelines.

How should I set up my home network?
You just bought your second computer. Perhaps you purchased a new laptop, a new machine for your spouse, or maybe just another machine for yourself. Now you'd like to be able to connect them all to the internet and it'd be nice to be able to share things like printers or extra disk space among your machines.
You need a LAN, or Local Area Network. There are lots of ways to do it but thankfully there are many straightforward solutions.
The basis of your LAN will be ethernet. The word has a very specific technical meaning but in common use it's simply the technology behind 99% of PC networks. Most computers now come already equipped with an ethernet adapter - it's the squarish hole that accepts what looks like an oversized North American modular phone jack.
Your broadband connection being cable, DSL or something else, will first go through some kind of device typically called a modem (again, somewhat technically inaccurate but it's the common term). The modem's job is to convert the broadband signal to ethernet.
"There are lots of ways to do it but thankfully there are many straightforward solutions."
You'll connect that ethernet from your broadband modem to a broadband router. I've talked about them in a previous article What's the difference between a Hub, a Switch and a Router? Routers control two important things - as the name implies they "route" information between computers on your LAN, and between those computers and the broadband connection to the internet. The other important function if you get what's called a NAT router is that they provide a very efficient firewall - protecting the computers on your LAN from many of the dangers of the internet. As a side effect, a NAT router allows you to place several computers on a broadband connection that's really only designed for one.
As I said earlier, each of your computers will need an ethernet adapter and most will already have them. A cable will run from each computer to the router and from the router to the modem. Each computer will also need to support the TCP/IP communications protocol. TCP/IP is the fundamental "language" of communication on the internet - in fact the IP stands for "Internet Protocol". Windows includes TCP/IP support by default.
Unfortunately, configuration specifics are unique to both your ISP or broadband provider and the specific model of router that you are using, so I can't cover that in detail here. However much like ethernet and TCP/IP being common standards, the configuration I'm outlining here is also very common. Your ISP should be able to provide the information you need and the router will in all likelihood include the documentation needed for this common scenario as well.
I can hear some of you asking about "wireless". If you're starting a home network from scratch, I really recommend getting an integrated wireless base station and router to begin with even if you don't yet have wireless on any computers. The incremental cost is not that much, and wireless is so convenient that it's really likely that you, or perhaps a guest, will someday be looking to connect wirelessly to your LAN. The great news is if you select an integrated router then nothing I've described above changes except that there won't be a cable running to your laptop.
Just like "ethernet" is the standard for wired networking, "802.11b" is the standard for wireless (or WiFi) networking. A new faster standard, "802.11g" is now becoming popular and since it can co-exist with 802.11b many manufacturers are providing equipment which supports both. I recommend springing for the dual-mode integrated wireless router if you can. You'll thank me, if not now, then in a few years.
That's it! Here's a simple diagram of the LAN we've just created:
network diagram
The other question that I can hear you asking is "but what brand of router should I get?". I run LinkSys equipment and have been very happy. In fact you'll find links there to the specific router models I happen to run. While mine are not dual mode (801.11b and g), LinkSys does make them. I've also heard good things about Netgear, 3Com, and US Robotics. My biggest advice is to stick to nationally well known brands.
For more information including tutorials, equipment reviews, and more, visit Practically Networked. It's a great place for your next networking steps.
Posted by at No comments:
Labels:

Why didn't my gigabit network card result in better performance?


Summary: Gigabit network cards hold the promise of faster connections and operations. The key is knowing where your other bottlenecks might be.

I recently installed a Gigabit PCI card on my Dell Windows XP SP2 system. I'm running on a Cable LAN system and was hoping to see at least a small improvement on the 100mbps of the old card. I'm not complaining because everything is as was before the install,just wondering if there is a little tweak I should have carried out to help it along?
It depends on what it was you were expecting to change.
I ran into a very similar situation when I upgraded one of my switches to gigabit and saw only a marginal performance impact. So I started looking into why.
First, let's make sure you've actually covered all the bases.
In order for a gigabit (or 1,000 megabit) connection to happen, the equipment at both ends of the wire need to be gigabit-capable. You indicated that you purchased a gigabit ethernet card, but what's it plugged into? If it's a router or other device that's only capable of 100 megabits, then the connection will happen at the slower speed. You can't force a gigabit into a 100 megabit connection.
Similarly, if you're copying files between two machines, then both machines must have gigabit-capable network connections for you to be able to take advantage of the higher speed.
And if you're expecting your gigabit network card to somehow improve your internet speed, then you're going to be very disappointed. Your internet connection already has a maximum speed - a cable connection might occasionally go as fast as 10, or even 50 megabits, but that's slower than the card you already had! Putting in a faster network card will not speed up the internet connection provided by your ISP.
"Putting in a faster network card will not speed up the internet connection provided by your ISP."
So far I hope all that makes sense.
Now, let me tell you about a scenario that isn't nearly as clear, and had me puzzling over it myself for a while.
My desktop machine came with a gigabit ethernet adapter. I decided to speed up the connection between this machine and a backup machine by installing a gigabit ethernet card in that machine and connecting the two through a gigabit switch.
Now, even though a gigabit per second is 10 times faster than 100 megabits per second, I didn't really expect a 10x increase in speed, there are too many other factors at play. What I didn't expect was that the increase would be more like 2x. My ten-times-faster gigabit connection was copying files machine-to-machine only twice as fast as my 100 megabit connection had.
Clearly the gigabit connection had some effect, since there was a speed up, but it wasn't what I was expecting.
My assumption was that there was another choke point in the system. Just like the gigabit connection to your ISPs internet connection will never be any faster than whatever the ISP gives you, there must be something else in my system that was slower than my newly speed gigabit connection.
And indeed there was. I did some tests and discovered that the gigabit connection was faster than the transfer rate of my hard drives. The hard drives had become the slowest component in that machine-to-machine transfer. While the network was capable of faster speeds it was being held back by the work required to actually get the data on and off my hard drives.
Does this mean that the gigabit network is pointless? Hardly.
While in the past that machine-to-machine copy might have actually saturated my network, since the 100 megabit network was at that point slower than the hard drives and hence the limiting factor for the copy, now the copy could proceed at the hard drive's full speed, and still leave lots of network bandwidth for other traffic. Other machines and other network activities could continue without being nearly as impacted by something that would previously have used up all available bandwidth.
In practice, do you care? Probably not. At least not yet. As always, speeds and needs will increase so that eventually that 100megabit network will seem slower than molasses compared to future technologies.
But for now, for most home and even small business needs, a 100 megabit per second network is plenty.
And upgrading may not even get you the increase you were expecting.
Posted by at No comments:
Labels:

How is my IP address assigned?


Summary: Every device on an TCP/IP network must have a unique IP address. IP addresses are assigned, either automatically by DHCP, or by manual configuration.

Given that IP address must be unique for every computer attached to the internet,how is it possible that we do not plug in IP addresses for the computer we want to connect?
Well, every device connected to the internet must have a unique IP, it's true. And they're assigned one of two ways: static or dynamic. But there's also a useful trick that lets multiple computers share a single IP address ... and that trick is called a router.
Static IP addresses are exactly that: static or unchanging. They are assigned by your network administrator or ISP, and yes, you do have to configure the computer or other internet device manually to respond to that specific address.
But, as you point out, most folks don't need to do that. So how do they get their IP addresses?
Enter the dynamic IP address and "DHCP" or Dynamic Host Configuration Protocol.
Using DHCP (which is the default for Windows TCP/IP connections) the computer broadcasts a special request for an IP address to the network. An upstream device, commonly belonging to your ISP, responds with an IP address that the computer then configures itself to use. Especially when many computers aren't connected continuously, this allows the ISP to reuse the IP addresses of computers that have disconnected from the internet.
If you need your computer to be identifiable on the internet ... for example if you're running a web server or want people to be able to connect to your machine, you'll probably need or use a static IP address. On the other hand, if all you do is connect out to surf or read email, as most users do, then a dynamic IP address is the easiest to configure.
Routers are devices that allow multiple computers to "share" a single IP address. The device that's connected to the internet is the router, and it has a unique IP address. The router can then act as the DHCP server to the local network handing out local IP addresses to the computers connected to it. As traffic flows across the router, it does the job of translating the IP addresses from the local addresses it has assigned, to the external IP address it was assigned, and routing the right bits of data to the right computer ... hence the name.
One of the many side effects of using a router is that it can be assigned a static address on the internet, and hand out dynamic IP addresses locally, vice versa, or any combination.
Posted by at No comments:
Labels:

What is "Limited Connectivity" and how do I fix it?


Summary: "Limited Connectivity" displays when your computer is having problems completing its network configuration. It might as well mean "no connectivity".

I have recently started receiving "limited connectivity" messages at our vacation condo. Looking on the web I've found a jillion ways to fix this problem and can't believe all the advertising. I've found that cycling the repeater that is in our condo will usually clear this problem. What causes it and what do I do when cycling the repeater doesn't work?
"Limited connectivity" happens when your computer can connect to the network ... but it can't.
I know, that wasn't very helpful. But it's actually accurate. Your computer was able to connect the network in one way, but was unable to complete the next step.
"Limited connectivity" happens when:
  • Your computer detects that a network is present and operating. That means that it detects that the network cable is plugged in, or that it was able to connect to a wireless access point.
  • Your computer's request for an IP address went unanswered.
It's that last one that needs a little explanation.
An IP address is how your computer is located on its network. The vast majority of machines are configured to connect to the network using DHCP to get what's called a "dynamic" IP address. That means that rather than permanently assigning a specific IP to that machine, the machine "asks" for an IP address when it connects to the network.
Dynamic IP addresses are simpler to configure, and allow for IP addresses to be re-used when the machines that they were temporarily assigned to are taken offline.
"If you check your IP on your machine and it starts with '169.' that's a made-up IP address."
A DHCP request for a dynamic IP address is very simple: your computer broadcasts to all the devices listening on its network "Would the DHCP server listening please assign me an IP address!". On each such network there should be one device that hears that request and responds with something like "Here ya go: you will be 192.168.1.4 - and by the way, when you want to talk to others on your network, here's some more information, and when you want to send something to the internet, send it here."
In other words your computer gets both its IP address as well as instructions on how to talk to the rest of the world.
At that point your computer is ready to communicate with the world.
So, what happens if no one responds?
Your computer will repeat that request ("Would the DHCP server listening please assign me an IP address!") a few times, and then it'll give up.
And declare that you have limited connectivity.
Connectivity is "limited" because your computer will likely make up an IP address. If you check your IP on your machine and it starts with "169." that's a made-up IP address. Only your computer knows about it, which means that no other computer knows how to contact yours. In addition, your computer doesn't know how to find or send packets to anyone else.
Limited connectivity is extremely limited. In practice, it means no connectivity.
There are scenarios where, if you know what you're doing and you're willing to jump through some hoops, you can actually force communication while you're in this state by doing things like manually configuring TCP/IP settings on your network card. But it's not meant to be a long term solution at all.
So, what do you do?
DHCP is typically handled by your router, or in some cases your broadband modem. If you have a single PCconnected to the internet, it may also be handled by your ISP.
Believe it or not, 90% of the time what you did is exactly right: reboot your router. Sometimes routers just "get into a state" and need to be rebooted. It's silly, and in an ideal world shouldn't be needed, but it is what it is. I probably reboot my router once a month, on average.
Wireless access points, those which are not routers but simply provide the wireless connectivity to a wired network, can sometimes also hiccup and fail in such a way as to cause this problem. I believe it happens when the wireless side of the device keeps working while the wired connection is, for some reason, inoperative. Again, a reboot of the device typically clears this up.
In either case, it's easiest to then reboot your computer(s) to force them to request new IP address assignments from the now functioning router.
If the reboot resolves the problem, but then it reoccurs quickly, I would check with the manufacturer of that device to see if there is new firmware available for it. Even though we think of routers and access points as hardware, they are in fact small computers running programs, and the programs sometimes have bugs. Sometimes those bugs don't manifest until something outside of the device changes. (I've heard anecdotal evidence that the new TCP/IP code in Windows Vista has exposed issues with some routers, for example.)
If your firmware is up to date, and the problem repeats frequently, I would investigate trying a new router or access point to see if that clears things up.
Posted by at No comments:
Labels:

How can I tell what internet activity is happening on my machine?


Summary: Network activity can happen for many reasons from expected to benign to malicious. There are free tools that allow you to easily see what's happening.

How can I tell what internet activity is happening on my machine?
With machines being more or less continuously connected to the internet these days it's easy to find that there are things going across your wire that perhaps you didn't realize or think about. Add malicious and semi-malicious code into the mix such as viruses and spyware, and understanding what's going on becomes even more important.

The good news is that there are tools, both included with Windows, and available for free on-line, that make monitoring your network fairly easy.
Most tools that come with Windows are command-line tools so you'll need to open up a Command prompt. We'll start first by determining the IP address of the machine you're currently on - that information will help you identify your own machine in some of the other tools later on. Type "ipconfig" and you should get output similar to this:
Windows IP Configuration

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.107
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
The IP address here is 192.168.1.107. Note: because I use a NAT router as my firewall that 192. address is not an actual address on the internet. That's part of the security a NET router provides - using NAT your IP address is specific to your local network - only the router actually sees your "real" internet address.
Netstat is a simple tool that will show you the currently open TCP/IP (internet protocol) connections. Type "netstat" and you should get output something like this:
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    LEO:1051               205.188.10.56:5190     ESTABLISHED
  TCP    LEO:1059               hal-m021c.blue.aol.com:5190  ESTABLISHED
  TCP    LEO:2387               baym-cs115.msgr.hotmail.com:1863  ESTABLISHED
  TCP    LEO:4357               192.168.1.2:3389       ESTABLISHED
"LIFE" is the name of my machine which as we saw above has the IP address 192.168.1.107 on my local network. The two lower entries here show connections to aol.com (I'm running AIM, AOL's Instant Messenger) and to msgr.hotmail.com (I'm also running MSN Messenger). The other two connections identified by only an IP address remain a mystery for the moment.
Now we'll move on to a freeware tool called TcpView from the folks as SysInternals. Download and run it and you'll get a window that shows you information very similar to netstat except with much more information that's continually updated.
TcpView Screen Shot
Here you can see that the connections are listed along side the running program that initiated the connection. TcpView also does a better job of name resolution and we can see that our connection to AIM actually is using two TCP/IP connections including one of the mystery connections from above. "msnmsgr.exe" is MSN's instant messenger as we saw above. And we now also see that the remaining connection is generated by an application called MSTSC.EXE which is the Microsoft Terminal Services Client - also known as the Remote Desktop Client. I have a remote desktop connection to my laptop in another room and that's what this connection is all about.
So far we've only seen connections and not traffic. That's often enough to expose an application or spyware that's communicating over the net when you don't expect it.
This next tool will tell more about the conversations happening across those connections though it'll easily overwhelm you with data. TDIMon will show you every request being made across the network. It won't show you the data with each request but it will show you the application making it and a few other characteristics of the request.
When you run TDIMon you'll find that there's a lot of network activity even when you're doing nothing and even if you're not connected to the internet. "explorer.exe" will show up often, for example. This is because Windows will use the network to communicate not only across the internet but also with other machines on your local network and in some cases even with itself.
The best way to use TDIMon is to have it log it's output to a text file, an option that's found on TDIMon's File menu. Run it for a little while collecting data and then stop it and examine the log file with a text viewing utility such as notepad. You can probably ignore all the extra network protocol specific information unless that's something that interests you. Just by looking applications that are making requests and how many requests are being made can help identify where your network traffic is coming from and perhaps some specific applications to investigate further.
Posted by at No comments:
Labels:

Why can't I connect with a 169.254.x.x IP address?


Summary: 169.254.x.x IP addresses are self-assigned when your computer can't get an address any other way. It's an almost sure sign of a problem.

My IP address was 192.168.x.xx, and somehow it was changed to 169.254.xx.xx. Because of this I can't access the internet. Any ideas?
Your IP address wasn't "changed" so much as it was broken.
If you end up with an IP in the 169.254.x.x address range, then something is definitely wrong.
For most folks, the IP address of your computer is assigned when you boot your machine. Using DHCP, your computer asks for an IP address, and a DHCP server responds by assigning one:
Simple DHCP assignment
If you're behind a NAT router it'll be the one handing out IP addresses and you'll most commonly get an address in the 192.168.x.x range. If you're directly connected to the internet your IP address could be almost anything. Exactly what range it'll be in is defined by which IP address ranges have been assigned to your ISP.
169.254.x.x, however, is special.
Consider: what happens when your computer asks for an IP address and no one responds? Due to a network problem, or maybe not being on a network at all, perhaps there's no DHCP server to hand out IP addresses.
What happens is this: your machine waits for a while and then gives up. But when it gives up it invokes Automatic Private IP Addressing, or APIPA, and makes up its own IP address. And those "made up" IP addresses are in the 169.254.x.x range.
"It's like having an unlisted phone number that's so unlisted that even the phone company doesn't know it."
Now, a 169.254.x.x IP address is pretty close to useless. The reason that IP addresses are assigned is so that the upstream networking equipment knows where to send or how to route packets that are destined to reach a machine at a particular address. In other words, when things work that equipment knows that your machine has this address. If your machine makes up its own address, no one else knows. As a result, there's no way to know how to get to your machine.
It's like having an unlisted phone number that's so unlisted that even the phone company doesn't know it. No one can call you.
Even connecting "out" to visit, say, a web site or other server doesn't work because there's no way to know where to send the response.
In fact, the only utility I've ever found with a 169.254.x.x address is if machines are connected directly to each other, then some protocols can be made to work machine-to-machine using the IP addresses. Most, however, do not.
It's frustrating enough that I consider a 169.254.x.x the same as "it's broken" and move on to resolving the underlying cause.
About all you can really say from getting one of those addresses is simply that the machine cannot reach the DHCP server over the network.
  • If you're connected via a NAT router, then either your computer is not actually connected on the network to that router, or the router itself isn't responding to the DHCP request. I typically triple-check my cabling, and perhaps reboot the router.
  • If you're connected to the internet directly then there's something about that that isn't working. Check the cabling to your broadband modem, and check the cabling from your broadband modem to your telephone or cable line. And, if all else fails, call your ISP - it may be their DHCP server or some other item they control that's at fault.
Bottom line: if you're getting a 169.254.x.x IP address then something about your network setup isn't working, and you probably want to investigate what and why.
Posted by at No comments:
Labels:

What happens if two computers have the same IP address?


Summary: Two computers should never have the same IP address if they're on the same network. If they do, results are unpredictable.

What happens if two computers have the same IP address?
An IP address uniquely identifies every computer on the internet.
The key word there is unique.
If two computers on the same network have the same IP address ... well, the results are unpredictable. It depends on how all the other equipment on the network handles the problem. In general it could be as bad as both machines not being able to communicate at all. More likely only one will not be able to, or perhaps there will simply be intermittent problems on both.
In short: don't do it.
Posted by at No comments:
Labels:

What is DHCP?


Summary: DHCP is the protocol computers use to request and receive a "dynamic" IP address.


What is DHCP?
DHCP stands for "Dynamic Host Configuration Protocol".
So I can hear you thinking, "great ... what's that?"
In a nutshell, it's the request your computer makes and the response it receives that assigns it a "dynamic" IP address.
Let's look at that a little more closely.

First, a refresher. Every computer on the internet has an "address". That address is just a number, but it uniquely identifies that computer; no other computer on the internet can have the same address.
There are two types of IP addresses: static and dynamic. Static IP addresses are just that - unchanging. They refer to a particular computer, whether that computer is turned on or not, connected or not. Most typically domain names like "advcomp.co.cc" map to a single static IP address.
Dynamic IP addresses are assigned to a computer on-the-fly. The most common scenario is dial-up. When you dial-up to your ISP, part of the connection sequence is your computer asking for an IP address, and your ISP assigning it one of the addresses it has available. When you disconnect, that IP address is returned to the list of available addresses and may be reused by another computer when it dials in.
Because most home users tend to turn their computers off, even broadband connections such as DSL and Cable continue to use dynamic addresses. If your computer is off, you don't need an address so someone else might get to use it.
Dynamic addresses are also used by NAT routers. Not necessarily on their internet connection, though it can, but rather on the local area network side. Each computer that you connect to your router will ask for an IP address, and that router will respond with an IP address that's available within your LAN.
The actual DHCP protocol is fairly simple. The computer in need of an IP address broadcasts a request, meaning it sends out a request to anyone who'll listen. That, in essence, says "Hey, anyone? I need an IP address!" By definition on any network (or more correctly, sub-network), there should at most one device who's job it is to answer back "Sure, here ya go, have this one." That's a DHCP server. Along with that answer is additional information as well, such as what machines to ask for domain name (DNS) look-ups and what address to forward all outgoing network traffic, too (the gateway).
In Windows, if your computer doesn't get a response from a DHCP server within a certain amount of time, it will give up or it may fall back to only asking every few minutes. It may "make up" an answer as well. In fact if your IP address begins with "169.", that's probably exactly what's happened; no IP address was assigned, and Windows made one up. And I'll bet your networking and internet don't work.


The DHCP FAQ with much more technical detail.
Posted by at No comments:
Labels:

Is DHCP safe?


Summary: DHCP is a fundamental technology to assign IP addresses to computers connected to a network. There are scenarios where DHCP might be spoofed.

In a recent article you said that using DHCP, IP addresses are assigned by broadcasting a request to the network and having the DHCP server responsible respond.
Apparently, my computer occasionally receives a wrong IP address because another device on my network is the first one to provide a response to a DHCP request. Instead of the 10.x.x.x address I normally get from my ISP, I get a 192.168.x.x address. That means that there's probably a misconfigured device somewhere on the network. Is there any way to protect me from those unauthorized attempts?
Is there a danger involved in auto assigning an IP address via DHCP? How do I know the issuing device is trustworthy at all, if ANY device on the network can actually do this?
And how come DHCP negotiations are so easy?
The last question is perhaps the easiest to answer: because TCP/IP wasn't really designed to do and be everything we currently rely on it to do. In particular, it wasn't really designed to protect us from malicious folk.
But it is what it is, and what it is is the backbone of our internet infrastructure.
Let's review the situation and see what, if anything, you can do to protect yourself.
To review: when your computer connects to the internet it needs to have an IP address assigned to it, so that it can be located on the network.
IP addresses can be assigned manually, typically by your ISP, and then configured manually, typically by you or your network administrator. These are called "static" IP addresses because they don't change.
The more common approach among ISPs and consumer internet connections is to use what's called "Dynamic" IP address assignment. If your machine is configured to use dynamic IPs when it connects to the internet, it sends out a request to the local network, a broadcast to anyone who'll listen, asking for an IP address to be assigned to it. Somewhere on that local network should be a DHCP server, who's job it is to respond and tell your machine "this is your IP address". In home networks your router is most often your DHCP server.
"There should be only one DHCP server responding."
The question boils down to this: what if there are two or more DHCP servers on a network, and they all try to respond to your machine's request for an IP?
To be clear, it shouldn't happen. There should be only one DHCP server responding. If there are more then, to quote many computer manuals: "results are unpredictable".
But at least one thing is relatively clear: the first DHCP server to respond is the one that your computer will assume is the authoritative one.
The real concern is if someone did this intentionally, in order to capture and sniff your internet traffic. In order to do so, they would actually have to provide internet access, or you'd notice right away that nothing was working. Also, even if they did provide internet access, any attempts to communicate to other machines on the same network would likely also fail, assuming that they got their IP address from the "correct" DCHP server.
To be honest, this is a difficult situation to detect and proactively protect against. We have to place a certain amount of trust in the ISP that they will detect and remove any rogue DHCP servers on their network, since more often than not, they actually cause noticeable disruptive problems. Similarly, when connecting to another network, we have to kind of assume that the network administrators are also doing the right things.
The good news is that this is a relatively difficult spoof to pull off without being noticed somehow.
In your case it may not be malicious at all. It could simply be some other customer connecting their router incorrectly - connecting the WAN/internet cable to a LAN/local network port. But I'd expect that to result in theirnetwork not functioning properly, and thus I'd expect them to fix it relatively quickly.
Since you did notice, and can identify exactly what IP address you're being assigned, and likely by whom (the "gateway" address also assigned), you have a little more to work with. In your shoes, I'd be looking at installing a firewall - hardware or software - and explicitly blocking the 192.168.x.x range at the interface. Presumably, this will cause your machine to ignore responses from the rogue DHCP server.
And, of course, you could arrange with your ISP to get a static IP address, thereby bypassing the entire DHCP assignment process.
I'd be interested to know if readers have better approaches to this issue.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)