Localhost:loopback attack

[gunnarj]

Hello, I have two questions concerning the new 2.5 Outpost I just installed:

1.) I receive a pop-up advising of an Attack:

Attack Type: My Address
IP Address: localhost:loopback

.......

Blocked Connections Logs:

5:35:14 PM SYSTEM IN REFUSED TCP localhost HTTP
Address 127.0.0.1 blocked because an attack was detected

5:34:58 PM iexplore.exe OUT REFUSED UDP localhost 1029
Address 127.0.0.1 blocked because an attack was detected

6:16:55 PM iexplore.exe OUT REFUSED UDP localhost 1128 Address 127.0.0.1 blocked because an attack was detected

6:16:22 PM SYSTEM IN REFUSED TCP localhost HTTP Address 127.0.0.1 blocked because an attack was detected

......

I am after this unable to access the internet except for very very slowly.

A question: If I put localhost in the attack detection plug-in under exclusions will this leave me vulnerable to an attack, while letting it through?

What causes this and what can I do about it?

2.) Every time I access the internet via Internet Explorer I get one of those "Hidden Process requests Network Access" pop-ups. It says that a "hidden process requests an outbound connection"... "The process run through OLE automation requires network access"
The process is Iexplore and is launched by either Exporer.exe or Msmin.exe, depending on which app I am accessing the internet from.

question: Can this be solved by unchecking the box under 'Open Process Control' in the Components section of Applications, where it says "Block network access if application memory was modified by another process"?

I have temporarily solved this by "Allowing access to Hidden Processes" in the Applications section, but this can't be a good way to do it.

....

Those are my two basic questions.
Can anybody shed any light on these and help out?

Thanks much,

gunnarj

[j8ee]

I had the same problem as in your question one, and fixed it by adding 127.0.0.1 to the "Exclusions" in the "Attack Detection" settings. You don't find those settings under the text menu "Options", but only under the graphic "Options" menu. (Very silly and confusing, a GUI bug?)

I came to the forum to ask if the above procedure is ok, and why the "Allow Loopback" rule in the Global section don't suffice? Surely, there got to be thousands of people besides me and gunnarj that will try Outpost and then have their network disabled because of this?

This is from my log:

[CODE]00:24:20 Rst attack 127.0.0.1 -> 127.0.0.1
00:14:59 My address 127.0.0.1
2004-10-15 23:53:34 Rst attack 127.0.0.1 -> 127.0.0.1
2004-10-15 23:45:19 My address 127.0.0.1
2004-10-15 23:34:12 My address 127.0.0.1
2004-10-15 23:22:46 My address 127.0.0.1
2004-10-15 23:08:33 My address 127.0.0.1[/CODE]

[j8ee]

I _still_ get localhost "Attacks", even after adding localhost (127.0.0.1) to the host exlusions in Attack Detections! This is very very strange...
Sometimes it seems like Outpost is stopping network activity too then, but not always, I'm not quite sure how often. Firefox _sometimes_ can't load pages after an "Attack" report, and if so I sometimes have to kill a stray firefox process after closing it down. After restarting, it works again.

[CODE]19:06:31 Rst attack 127.0.0.1 -> 127.0.0.1
19:00:20 My address 127.0.0.1
18:51:44 Rst attack 127.0.0.1 -> 127.0.0.1
18:49:14 My address 127.0.0.1
18:36:39 Rst attack 127.0.0.1 -> 127.0.0.1
18:30:40 My address 127.0.0.1
18:20:39 Rst attack 127.0.0.1 -> 127.0.0.1
18:19:33 My address 127.0.0.1
18:03:45 My address 127.0.0.1
17:47:00 My address 127.0.0.1 [/CODE]

[GoonMan]

Hello gunnarj and j8ee,

Do you have the Allow Loop Back rule Unticked under>Options>System>Global System>Rules>AllowLoop Back. If not please Untick the Rule anmd see if you still have the problem.

Please see Outpost 2.5 - what to expect.

Have you tried doing a search of the Forum on Local Host Attack.

[ekerazha]

Quote:

Originally Posted by j8ee

I _still_ get localhost "Attacks", even after adding localhost (127.0.0.1) to the host exlusions in Attack Detections! This is very very strange...
Sometimes it seems like Outpost is stopping network activity too then, but not always, I'm not quite sure how often. Firefox _sometimes_ can't load pages after an "Attack" report, and if so I sometimes have to kill a stray firefox process after closing it down. After restarting, it works again.

[CODE]19:06:31 Rst attack 127.0.0.1 -> 127.0.0.1
19:00:20 My address 127.0.0.1
18:51:44 Rst attack 127.0.0.1 -> 127.0.0.1
18:49:14 My address 127.0.0.1
18:36:39 Rst attack 127.0.0.1 -> 127.0.0.1
18:30:40 My address 127.0.0.1
18:20:39 Rst attack 127.0.0.1 -> 127.0.0.1
18:19:33 My address 127.0.0.1
18:03:45 My address 127.0.0.1
17:47:00 My address 127.0.0.1 [/CODE]

Exactly the same problem!

[ekerazha]

Quote:

Originally Posted by GoonMan

Do you have the Allow Loop Back rule Unticked under>Options>System>Global System>Rules>AllowLoop Back. If not please Untick the Rule anmd see if you still have the problem.

Same problem... and i *need* loopback capabilities...

[gunnarj]

Quote:

Originally Posted by GoonMan

Quote:

Do you have the Allow Loop Back rule Unticked under>Options>System>Global System>Rules>AllowLoop Back. If not please Untick the Rule and see if you still have the problem.

I have tried it checked and unchecked and I still get the 'attack' popup, and the connection slows to a crawl. I have also tried putting localhost under exclusions in the attack detection plugin - does not solve this either.

Anybody else have a solution to this problem, plus the other I mentioned in the original post?

Thanks,

gunnarj

[GoonMan]

First try this Uncheck the Block the Intruder IP and the Block subnet mask. Also if you disable the Attack Detection Plug-in does it make any Difference.


Next try stopping the DNS Cache Plug-in. I have it it stopped now because it was slowing down my connection.

[j8ee]

Thanks, I will try disabling both the attack detection plug-in and the dns cache. The attack plugin has been triggered for a good reason a some times the last days though. I have been using the Windows firewall for a few hours now, and haven't had any connection problems or slowdowns yet. Azureus as an example is working much better without Outpost. I guess it could be because of these things:

[CODE]16:36:45 javaw.exe IN REFUSED TCP localhost 1068 Address 127.0.0.1 blocked because an attack was detected
16:36:44 javaw.exe IN REFUSED TCP localhost 1062 Address 127.0.0.1 blocked because an attack was detected
16:36:45 javaw.exe IN REFUSED TCP localhost 1066 Address 127.0.0.1 blocked because an attack was detected[/CODE]

Why is it blocked even though I have localhost in the Host exceptions?

I guess the Attack Detection plugin/Host Exception rule works in some way, because before I added localhost to the host exeptions Firefox and some other things were blocked instantly from network access. But afterwards, the internet connection is working really bad, and I still get localhost attack detections in the logs, and apparently even a few localhost blocks.


How about the Global System rules and "allow loopback", shouldn't the Global rules have higher priority than the Attack Detection plugin?

[j8ee]

Ok, good - all attack warnings are gone since I disabled the Attack Detection plugin! ... :P I think everything is working as expected now actually, with both suggested plugins removed. I guess this is something worth writing to Agnitum about? But I don't know which plugin (or both) that's causing trouble - to know that I would have to disable them one at a time. And I don't feel like doing it now when things are working. But that localhost "attacks" gets reported even when localhost is in the excluded hosts list is actually a bug, I guess?

Thanks GoonMan!

[DIFference]

Hi,

Is it really that good to disable the Attack Detection Plugin?

I have kind of the same problem, and one in this forum told me to richgt click on Attack Detection -> Properties -> Advanced -> Attack List, Edit List -> Uncheck "My Address attack"

This seem to work, BUT, does it make my computer less secure? If, it still must be more secure than disable the whloe Attack Detectiopn Plugin i think.

/DIFference

[gunnarj]

Quote:

If you want to get rid of the loopback attack detections, open the Attack Detection Properties, Advanced page. Under Attacks List, click on Edit list..., and uncheck My Address attack.

This advice from 'chrisretusn' does work, and it is far preferable than disabling the entire attack detection plug-in.

Hopefully, there will be an update where this flaw is fixed.

gunnarj

[j8ee]

Is there a way to change the rst attack detection settings, so it's not quite as easily triggered? Maybe change the number of rst packets in the advanced settings of the plugin? I guess the number of packets should be raised a bit? (Feels like I have a 50% chance of changing it in the right direction... ) Or adjusting some of the time settings?

[ekerazha]

Quote:

Originally Posted by GoonMan

Also if you disable the Attack Detection Plug-in does it make any Difference.

Are you sure about this?

[ekerazha]

The problem is... why attack detection plug-in blocks hosts which are in the exclusion list? This is a big-bug