Holy Moley...there's bad guys out there!

((BTW: If this is all or part answered on other threads you're aware of that I missed in searching, please post the article links and I shall consider myself chastized about the head and shoulders.))

I'm in a slight state of shock. I've been running home PC's for just over ten years and this is the first time I've ever created a real home network (using a LinkSys 4-port hardwire router with firewall and VPN end support and a dsl modem). In my ignorance I thought that the router's firewall would be sufficient protection from all the snoopies out there on the Net, but noooooo..... No sooner did I get this thing (finally!) configured and installed than the entire world came kinocking at my door bearing gifts of all sorts of nasties.

What am I, the poster child for stupid?

I immediately disconnected the router and went back to one PC with the modem, downloaded and installed ZA free, AVG free, updated my Norton AV, configured all that then ran virus checks from Norton, AVG and Housecall, found a bunch of infected files/bad exe's, etc and got rid of them but this whole thing has taken several hours to do. Scans take twenty minutes to complete (I have a LOT of stuff on this box) and hence my questions:

1: Do most of you update and scan (daily) (weekly) (some other time frame)?

2: Using Zone Alarm in conjuntion with the firewall on the router is a (good) (bad) (doesn't make a difference) thing?

3. Using Norton AV (which has kept (or at least seemed to keep) most of the nasties off my old computer for years) in conjunction with Zone Alarm is (good) (dumber than dirt) (not really a problem) ?

(aside) Steve Gibson. ****. This guy IS a certifiable genius, of that there is no doubt, but reading his "Shields Up" site and articles makes one feel like you're living at the foot of the Johnstown Dam in the rainy season. I've only once or twice seen writing of such energy and fervour... I get tired just reading the site's articles and start looking for my Vallium!

Just how much (in your educated opinions) of this is ego hype and how much of it should I actually worry about? I know he's produced some TRULY useful things (especially as concerns Iomega's Zip-100 drive and it's foibles, which is where I first encountered him) but it seems that if I followed every suggestion he's come up with it would be a full time job for a month to install and configure everything and then at least an hour each day just to check/update/spackle and repaint as necessary!

4. Previous to the router I had the DSL feeding BOX A and a crossover-cable "network" so that BOX B could share files with BOX A but not get online. Now The Wife wants to be able to surf the net from the livingroom and play games using the TV as the monitor (no sweat there) but she wants to be able to do it on the DSL line for speed and so as not to tie up the house phone while surfing.

So I read in several articles (including Gibson's GRC site) where Microsoft's File Sharing (which allowed the two boxes to read and exchange files) is NOT the thing to use for a routered network.... and I'm confused, big time.

How does one get around that? (little words, please!)

I have about thirty more paragraphs of questions but for now I'll start with these and perhaps some of the sites/articles/wombat holes that you'll recommend will answer some of the others as well...

As usual, thanks to all in advance for you continued help and support.

Vince in Philly

 

Hi pippopottomus
I'll give you my experience with 1-3.
1. I use AVG, and yes, I update daily. It only take a second, and has become a habit. (I'm on cable)
2. I'm using a Linksys befsr41 router, with 4 computers hooked up to it. Each one also runs ZoneAlarm, to catch the one or two probes tht slip by the router.
3. I'm not a huge fan of using two AV's. In my humble opinion, it's asking for conflicts.

Knock on wood...... I'm locked down tight....and have yet to be infected with a virus. (Though I easily fend off a half dozen a day.)

Daizy

 

Thanks, Daizy!

I did run across another forum where they definitely recommended AGAINST having in-line AV's and so I'm sticking with Norton (since I paid for that one) on both machines, with Zone Alarm on both as well.

My router is a LinkSys BEFSX41 which needed a firmware change before it would work at all, but which now 'seems to be' operating just fine.

Has anyone else experienced a M A J O R slowdown in internet access after installing Zone Alarm on a routered network?

On ADSL and without the router I was d/l at about 732Kbs but with it (no ZoneAlarm) I was down to 663 Kbs... with ZA and the router in the picture, I'm now about 370Kbs or less (usually)! Loading this page took 18 seconds and accessing the board at all was nearly 40 seconds!

I gotta tell ya, this ain't the computing experience I bargained on when I first thought about setting up this network. My throughput ain't very well!

(just throwing out ideas...)
could the firewall built into the router be interfering with ZA and thus slowing my access/throughputs?

Any other thoughts out there?

(Verizon ADSL via Westell dual conect modem
LinkSys Router
BoxA: P4 2.5 Ghz WIN98SE 512Mb DDR ram
BoxB: PIII 600Mhz WIN98SE 512 Pc100 ram)



Vince

 

A little off subject here but noticed your download speed and figured you need some help. Go to DSLReports and seek out their tweaks page. There's a little executable there called DRTCP which should help you optimize your DSL. I threw it in a folder and run it out of program files. Settings as follows:
TCP Receive Window 32767
Max Duplicate ACKs 3
TTL 128
Max MTU 1492
All others Default

Make sure you set this for your NIC card and not your dialup adapter (radio bar drop down), close and reboot. You should pick up another 300-500 kbps if you're on a 1400-1600 kbps max rated ADSL line.

 

In defense of the router and reply to Rockster

I said that after I hooked up the router it 'seemed' that every baddie in th Universe came visiting, but I have no way to check and see if the router was actually wide open. Sure seemed like that to me as I picked up about 11 virii (all stopped by Norton) in a half-hour's time.

Router folks and I spent a total of 8 calls and 11 hours over this model (which has had chip problems) and it finally took getting a senior tech on the phone (Thanks, Bryan) during his lunch hour to get it semi-correctly configured. (The ONLY reason I bought the LinkSys was because Verizon 'supports' it's use on their DSL.... how do they support it? They transfer you to LinkSys. Grrrr.....)

Just before I started this reply I rebooted EVERYTHING and now am getting something approaching the expected speeds... (547.9 Kbit down and 68.5 Kbyt up) with Zone Alarm installed.

So far in a 7 day period I've spent a total of 83 hrs on-phone with one tech or another from Verizon, LinkSys, Zone Labs a computer consultant I know and a few other places as well and 60 hours formatting, re-formating, pulling and swapping, loading/un-loading and tweaking and sobbing.

SUDDENLY it looks as though things are now working as they should, alhough THAT could change momentarily if the sun comes out.

MTU's are now set per the "ping test plus 28" formula at 1490 and it seems good.

SO: for the time being it looks as though we've got it somewhat licked into shape. I dunno just what the reboot did, perhaps it was shutting everything down and then re starting one component at a time... if that's what it takes in the future, I'LL LIVE WITH IT. I am so sick talking to techs I may never make another phonecall in my life. (but don't bet the ranch...)


What the heck is a "VPN Tunnel" and why should I care? The router folks say it's a "feature ", but so is my nose and no-one seems particularly interested in having that for themselves....

Some things in your post I don't understand, Rockster.... perhaps you'd care to enlighten me and so anyone who reads the thread...

"Max Duplicate ACKS" ??
"TTL" ??

As I said, I've set the MTU to the max ping reply + 28 and it seems to be working now.


(one more speed test produces 644.1Kbs down by 80.5 KBs up)

 

Since that router does stateful firewalling (inbound packets to an open port are examined by the firewall to see if they fit with the normal traffic for that port and if not, they are blocked even if the port is "open ") to add to the protection NAT already offers, I'd be really surprised if you got trash in thru the router unless you have a machine set up in the DMZ. If so, that one will be wide open as you will have bypassed any firewall protection from the router.

And as noted above, you will get no additional protection from ZA for inbound stuff. You can certainly use it to watch outgoing stuff but it will add overhead and slow you down some. Shouldn't be a huge amount but certainly some.

ACKs and TTL are sorta related in this case.

TTL (time to live) - as used here is really a hop count. And internet packet can't be allowed to wander hopelessly lost for ever if it can't find it's intended destination. Too much sludge added to the internet for no good reason. So you set a TTL for packets which basically says how many routers the packet can pass thru before either reaching it's intended destination or being killed. With TTL set at 128, the packet leaves your PC and out thru your router which resets the TTL to 127. Your ISP will have at least one router so the count is down to 126 or 125 when the packet leaves the ISP. When it reaches zero it dies but it should have found it's intended destination sooner than that. Note that TTL can also indicate a specific time the packet will be allowed to exist but here it's a hop count.

What DRTPC is calling MAX Duplicate ACKs set to 3 is also known as Triple duplicate ACKs (TDACKs)

Packets (the basic unit of information transmission on the internet) may not be left intact after they leave your PC. Possibly too large for some equipment to handle or a couple obscure other causes. In this case the packet will be split into 2 or more smaller ones and sent along toward the destination. Each piece is marked with a sequence number related to where it was located in the original packet, the total number of pieces noted, and is re-assembled at the destination. But they don't always arrive in the sequence order so that piece #3 may get there before piece #1. Or #2 & #3 may make it but not #1 and in that case, the pieces are worthless and the entire packet needs to be retransmitted.

The destination will send an ACK (acknowledgement) as it receives packet pieces.

Waiting for the retransmission timer to expire causes a considerable delay. To speed up retransmission of lost packets when data is still exchanged between sender and receiver, a fast retransmit/fast recovery mechanism was added to TCP. Whenever a packet is received out of order, an ACK is sent with the sequence number that was actually expected (duplicate ACK) to inform the sender. The sender does not know if the duplicate ACK was caused by a lost packet or simple packet reordering. However, when three consecutive duplicate ACKs are received, the sender assumes that the corresponding packet was lost and retransmits it without waiting for the retransmission timer to expire.

And even though it's been answered let me add that you absolutely DO need AV software in addition to the firewall since a firewall wouldn't know a virus from a watermellon. You have a port open for email and if an infected file is embedded or attached, the firewall won't notice.

 

Well, thanks for the info!

I finally spent twenty minutes reading up on GRC's "shields Up " Site (it STILL reads like Murray Leinster used to write) and then took the test and apparently everything is as it should be with nothing showing on the internet.

One wierd thing, every hour or so (I haven't really timed it yet) I suddenly slow down to almost nothing and it stays that way until I reboot the machine OR disconnect and reconnect to DSL via the desktop dialer. Nothing else slows on the machine and I can still see the other computer and transfer files to and from it on the network, but my download speed drops from the 60's to less than 3 kbs. Reboot or close and re-open and it's back to speed again.

Confusing, but not deadly. I can deal with that if I have to.

Vince

 

Well, Newt sure explained that a heck of a lot better than anything I could have attempted.

Back to your setup - you are currently running at about half of what is possible with a less than one minute fix. Sorry to disappoint you if you were looking for a few more hours of tech support phone conversation.

I have a similar setup with an 8 port router, 2 printservers with 4 port switches and a wireless access point - all linksys. Speed down runs anywhere from 1214 -1248+ on most normal days (and nights) and speed up runs about 220. My service is 1500/256 and I'm about the best in my zipcode for my DSL provider.

I would suggest you try exactly what I previously suggested and if you don't like it, don't use it. The program is DRTCP and its available at DSL Reports as previously mentioned. Its a very small executable that will save you some manual registry editing time and can be reset back to your original defaults at any time. I think you will see a very noticeable improvement if you get and run this little application. You can stick with 1490 or try my 1492 recommendation but 1492 sure tests out better for me. As for the rest of my recommendations, you are certainly free to do whatever blows your skirt up.

 

OY! DMZ!

Vit dis I hed awreddy trubble in 1968!

But Newt hit the hamontosh in the prune filling.... the initial plug in WAS to connection 4/DMZ (as per the instructions in the quick-start card from LinkSys!)

Not having a single clue as to what I was supposedly doing, I followed the initial instructions from the manufacturer and had the computer plugged into a non-firewalled port! Sheesh. No WONDER I got so many visits from the nASTY cREW oUT tHERE.

At some point in the setup nonsense some tech suggested I unplug everything and (casually) suggested using ports #2 & #3 as "they were easier to get to" on the back of the router. (Like John Glenn, I hate it when GC doesn't give the pilot all the information about the aircraft!)

So all seems to be up and running anti-virus-wise. Zone Alarm IS slowing me up a bit but the protection is probably worth it and if it really bugs me I'll just opt for the next step up in Verizon's ADSL pallette. It shows (ZA that is) having stopped over 500 attempts in about 30 hours and NAV is up to speed as well. It also passed with all marks on Gibson's "Shields Up" tests.

Thanks to all (yet again) for your patience, good humour and great information/ideas. Who needs an MCSE course with you lot about?

One funny aside. I was up at Microcenter this AM getting some more short cables to replace the 12' pair I have going from modem to router and router to NIC [just a little overkill, that] and just from reading this board and the posts on it was able to answer quite a few questions for a pretty lady while she was waiting for a nonexistant salesclerk to appear. The manager, unbeknownst to me, was one aisle over and caught me on the way out and offered me a job!

This shows two things.... you never know when what you learn is going to come in handy and also that the folks at Microcenter are DESPERATE for anyone who can stand up and walk.

Vince

 

Vince - the term DMZ (for DeMilitarized Zone) should have told you something. Real meaning is a "no man's land" buffer zone between waring factions. Always a dangerous place to be.

And if you haven't tried the app Rockster2U recommended, you really should. Good stuff.

 

Thanks for all the advice and .....

But I spoke too soon on the router being set up and working.

It died on me. Suddenly box A could see box B but not the reverse and then neither could access the DSL modem via the router.

DSL without the router is super-duper on either machine so I have to conclude the router is a dead 'un or at least has major problems.

Back to square 1 in that department.

 

Reset that puppy. You'll soon find that a properly configured router can be a mans (sorry Daizy) best friend.

 

Back to checking viruses... (in this order)....

DAILY....
1. I run McAFee,
2. I then run HouseCall (www.trendmicro.com)
3. I also run disc clean up

EVERY FEW DAYS / WEEKLY...
1. SwatIt (http://swatit.org/download.html),
2. Registry First Aid.


** If I find a virus I will wipe it out then reboot and run the following in the following order:
1. McAfee,
2. HouseCall,
3 SwatIt (http://swatit.org/download.html),
4. Registry First Aid (saves errors on startup if a registry entery has been made to load a virus)
5. Disc cleanup,
6. Reboot,
7. McAfee - if a virus is found now, back to step one and you'll need to ask for help here or search for the virus on www.trendmicro.com.

IN TERMS OF FIREWALL...
Zone Labs make the BEST firewalls in the world!
I would never use Norton for any computer problems a I once quarintined files and cleaned them and NONE were put back right

Please tell me if this was any help,

Thank you,

Gary

 

Reset that puppy?

Thanks Rockster, but I've given up on this particular puppy. I'll get a 2-wire and see how that works (it's also approved by my ISP [ooooh, an' dosen't THAT give ye a warm an' fuzzy feeling?) in it's stead. I should have done this as soon as the tech told me that (out of the box!) the LINKSYS unit required a firmware upgrade even to properly configure. BEFSX41.. anyone else out there with this model who's had problems?

I agree... a router is a great addition to the arsenal and I dunno why I waited until now to take the plunge. Wife is on me daily for the hookup to the TV so she can surf from the livingroom.



Gary:
ANY information is valuable and helpful... Also, there'll be folks reading this until it's removed from the archive or goes so far down the list that it can be only found by a search, but it'll come in handy for years.

As for me, I'd never heard of SwatIt previously and have d/l the eval for testing...sounds interesting.

I've heard varying opinions of both MacAFEE and NORTOON (along with other 'wonderful virus tools' over the years) but have never had a problem with Norton until now. FIXIT did ***** up on me back about five years ago when I had a P-II machine but I put that episode down to my own inept use of the program. (I stay away from it, nonetheless.... once burnt...). If I keep getting glowing reports of the latest and greatest from MacAfee, I think I'll invest time in an evaluation copy.

A friend of mine who lurks here (you meet the darndest people on a Window...[sorry, Honda...]) has opined that after reading all the posts on the various forii, in his opinion (he's an IT professional) my users description should be downgraded from "luser" to 'hoser'. Ain't it nice when friends are supportive?

Supportive is most definitely what you lot have been and I thank all for their inputs and suggestions.

Along the lines of Gary's suggestions, I usually
Reboot (to get a regscan copy) every week or whenever I add/remove a program ( which may or may not require a native reboot)
Export the registry 1st thing every day
Run Norton full scan ( then go and wash up for the day, make coffee and by the time I've actually finished all that the scan has completed) and deal with the results, also making sure that all virius defs are UTD
Burn a backup of my "C" drive and registry export on a CDRW (with a 24x CDRW this takes only a few minutes)

I've not used housecall but once in past and know next to nothing about PC-cillin but am open to more info. I do remember it from around '95 or so when it was <<reliable.

Well, gotta go make brekky for the wife.

Vince

 

HouseCall is very useful as it is VERY up-to-date.
I wouldn't run it as my sole virus scan but it is a great program.

SwatIt is good (but slow - about 45min for my PC)

I still think the best firewalls are from ZoneLabs but they could have to functions to improve them:

> "Pause" function (for when you need to disable the firewall for just a second or two for downloading a applet or similar) because as it it I have to shut it down and then reload it.
> "Reset" to put the firewall back to as it was the day you got it (as sometime you'll allow a program then worry that you shouldn't and it would be nice to have a fresh start without reinstalling.

Anyone no a firewall that meets the above?

Gary

 

(By the way Vince... Do you often stand in bins? [Just looked at your site] )

 

Wall, y'know....

Aye... the dustbin is me 2nd natural habitat... the first being the end of the bar closest to the Murphy's spout. (It's also the one that's usually closest to the stage so I have less stumbling distance when we're due on..)

 

God bless the pub!

So how is the firewall problem coming?

 

Firewall's no the problem the more...

It's bloody router that I've given up on. Couldn't be happier with ZoneAlarms even though it does cost a bit of download time when connecting to something (very little). I pass Shields up with flying colours and as soon as I find a router that is acceptable to Verizon and which doesn't need firmware upgrads right out of the carton, I'm sure that that will get resolved as well.

I now know how to calculate for MMTU and (approximately) how to set up a wired router. Wish I didn't live in a house with 12 inch stone walls which preclude use of a wireless router. Not even a wireless phone works in here. Off to the computer store to pick up a different type.