What is an IPS attack?

When trying to browse ctvnews.ca i got this message

Other websites work fine, i was able to browse 3 stories then got that message. I have windows 8 with windows defender, and i’m using firefox

Most likely, they have a misconfigured intrusion prevention system that is detecting innocuous activity as an attack. Another possibility is that you’re on a shared connection and multiple people using that connection tried to access the same site in a short period of time, creating the appearance of a denial of service attack.

Alternately, you could be infected with malware that’s attacking the site, but I suspect one of the first two is more likely.

unknown…but found this

http://answers.microsoft.com/en-us/ie/forum/ie7_6-windows_xp/blocked-because-of-ips-attack/a0b735c4-95f4-44e9-8a1f-9c0608f3bdec

I am on my own connection, one computer directly to the modem, I called my ISP’s tech support, they were unhelpful, she says i should consult a computer expert, i use DSL so if its IP address based a previous user before i signed in may have been a culprit since the IP address is different each time i log on to the internet, however the tech support lady had no interest in knowing about any bots or compromised users they may have :frowning:

Windows defender updates a few times a day automatically, it updated less then an hour ago, i’m running a full scan now

The message you got came from the actual site itself, right? It wouldn’t have anything to do with your system or your ISP, and there would be nothing they could do to help. A web site you visit could give you any message it wants to, and the message may only have meaning to that site itself. For example, I could go on my web site and put a popup telling every user they were infected with Ebola, but that wouldn’t make it true. Some unscrupulous web sites even do give you weird popups hoping to trick you into buying software you don’t need, or gaining your personal info.

What probably happened is either whatever intrusion detection system they have (probably recently installed) is mis-configured, or they are legitimately under attack and one or more of the attackers is in the same block of IP addresses as you are. Or you rebooted your modem one day and it picked up the IP address of someone who once attacked that site or did something very bad with it. Normally if you leave your cable modem powered down from anywhere from a few hours to a few days, it will pick up a new IP address when it powers up. Otherwise, your modem will jealously hold on to the same IP and your ISP will let it.

So it could be dozens of different scenarios, probably none of them having anything to do with you or anything that could be changed by your actions. I wouldn’t worry about it.

I used a few different proxy servers and each one got the same message after i browsed 3 pages, so either it was my computer or their server.
The scan came back clean, and their site is working now so it does appear it was their end, either that or my computer was sending malicious data through each server as soon as i browsed to the website.

Your ISP would be able to tell if you were spamming the world with malicious packets from your network. So would your router—mine has traffic reports showing me what’s going on with the network. The ISP would also likely suspend your service and notify you if that was the case. And if that were the case, your computer wouldn’t be attacking sites that YOU visit, it would be under the influence of some bot army overlord, who would be using your computer to attack targets of HIS choice. It doesn’t sound to me like you are infected. On the contrary, it sounds more like the site you are having a problem with is infected. And if you are truly worried about this sort of thing, you should be surfing the Internet using virtual machines which can be rolled back to a backup at the first hint of trouble. And also flash the open source DD-WRT or Tomato firmware to your router so you can see what’s going on with your network instead of wildly speculating :wink:

That was the reason i called them but they had no interest in checking, they considered it my problem not theirs

I have no router (actually i do but i don’t use it, its still packed), but i wondered why only their site would give me problems, if i had not browsed to it from google news i never would have gotten the error, its not a news site i often visit.

I am interested in being more secure, i don’t know much about virtual machines or the firmware you mention.

It’s not your or the ISP’s problem. It’s only your problem in the sense that you’re bothered by it, which is what the ISP is trying to tell you.

If you are using more than one device on your network (wi-fi?), then you have a router, even if it’s built into your modem or whatever box your ISP gave you. An ISP only assigns you a single “public” or “external” IP address and then everything on your network shares that public IP using a technology called NAT (network address translation) which has the secondary effect of making it difficult to attack a network from the outside.

Virtual machines are simply a machine running inside another machine. For example, Windows Vista, 7 and 8 give you a free copy of Windows XP that you can run inside the newer version for compatibility. I still have an old scanner that I love, but they don’t have the drivers for newer versions of Windows, so I boot a Windows XP computer inside my Windows 8 computer. You can even run other operating systems to for example run Windows 8 on a Mac or vice versa. Or Ubuntu on Windows, or Windows on Ubuntu—the possibilities are endless and limited only by the power of your machine (I/O, CPU, RAM, etc.)

And one good side effect of VMs is that any malicious code is not attacking your physical machine, and most of the time it can’t break out of that environment, though I do allow my VMs on the network.

Most of what people call security is either “security through obscurity” or “security theater” so it definitely pays to do your own research.

Oh, and if your setup is truly a computer plugged straight to the modem, jeez man, buy a cheap router and let your guests have some wi-fi. You are actually more secure by not having wi-fi, but the risks can be mitigated, and I know my guests would personally give me a blank, uncomprehending stare if my house didn’t have wi-fi for all the gadgets people carry these days.

IPS is Intrusion Prevention System.
Could be a message from their IPS. Seems the traffic looks suspicious, possibly corrupt or there is something in the data stream.
Run a kind of Loadpoint Analysis or HiJackThis. Dunno if M$ has this kind of Tool to check if suspected infected files need to be submitted to their servers.

It is truly is that, no wifi and no additional devices, and i have a router, it was a gift from a friend who probably wanted a more stylish one so he gave me his old one, it is a single computer DSL modem that i bought last year (not rented or purchased from ISP)

I have windows 8 home premium, does it have the XP mode you mention?

One unrelated question i have is if i use a router my account has one IP address, how does does the router send incoming data from the internet to the right computer?

Do you have any white vans with plumbing tubes on the top outside your home or near by where you are?? LOL They are watching you! :bigsmile:

I believe it does, but you’ll need to download it. Though for Windows 8 you’ll need to run VirtualBox which is free, because Microsoft Virtual PC no longer technically exists, and what it used to be is built into the Pro version of Windows 8, which you don’t have. There are lots of tutorials out there for doing this.

Start with this link for your copy of XP: http://windows.microsoft.com/en-us/windows7/products/features/windows-xp-mode

It does that with something called NAT which is used in conjunction with something called DHCP. Basically you have a single public IP address and all of your computers are assigned private IP addresses that only pertain to your network. I’m no NAT guru but in a nutshell it keeps track of all the packets going in and out of your network and figures out which internal device they belong to, and most of the time everything goes smoothly. In fact, some time when you are at a public place with free wi-fi, sign into their wi-fi and you will see “obtaining IP address” or “obtaining network address” on your Android device and you will see DHCP in action. DHCP is what actually assigns you the internal IP address, and it maintains a big list and even recycles IPs once their “lease” expires. In fact, your public IP comes from your ISPs DHCP server, so it’s possible to get a new public IP by leaving your modem disconnected a long time and then your ISP will eventually recycle that public IP. And so all routers have a built in DHCP server and DHCP works the same for assigning public and private IPs.

For example, let’s say some forum gives you a lifetime IP ban. You could unplug your modem a few days and get a different public IP, and the banned IP would probably stay in that forum’s database, and whoever got it next would be unable to use that forum, while the forum wouldn’t recognize your new public IP.

So you have to think in terms of public and private IP addresses. One way to see your private IP (which will usually start with 192. or 10.) is to open a command prompt in Windows and type ipconfig [enter] and it will show you information about the TCP/IP stack. You can also see this private IP on other devices such as Android, and you can always find out your public IP by typing “public ip” into google or a site like whatismyip.com

ding ding ding

even a simple statefull firewall (NAT translation) in a router will protect all the machines behind it on the LAN, don’t EVER plug a computer directly into a internet routable address (aka directly into the modem) w/o some sort of firewall (router) between it and the nasties floating around out there, winderz has sooooo many holes it’s not even funny

Do an IP config if you don’t have a 192.168. * . * or similar (called a private-ip network) then you are direct connect to the internet…

If you think something on your computer is sending out the attacks the pages are identifying, update your antivirus (avg free, avast free, even M$ essentials) and running malwarebytes, and Ccleaner to clean up the garbage on the computer goes a long way

Bort, plug in that router. It inherently provides you some protection being between your pc and the internet.

Many routers let you turn off wifi if you don’t use it. If you do use wifi, use WPA2 or WPA, turn off WPS, do not use WEP (not even an option on newer routers). WPS can be broken on many routers and wep is completely broken, worthless. Oh and pick a decent password. Use a bad one and you might as well just leave it open.

It’s not completely unreasonable to forgo a router as long as you are running a good Firewall. Newer versions of Windows now come with a stateful, rule-based firewall like the Checkpoint Firewalls we used to pay 20 grand for in the 90’s. But unless you have a solid reason, like you can’t afford the extra electricity, or the $29 for a router, or something like that, then you should probably just plug one in. You get a decent security bump and a huge bump in convenience.

It’s also easy to find which routers are compatible with DD-WRT, and it’s worth the hour to sit down and meticulously follow the instructions for flashing the firmware. There’s a slight chance you can “brick” one even if you do it right (‘slight’ meaning it won’t happen), but the risk is small, and routers are cheap, and the reward is big. Now suddenly you have an enterprise class router for 50 bucks and an hour of not screwing it up.

And lest anyone think NAT makes them completely safe, there’s been plenty of exploits over the years with malicious packets that go right through NAT’d routers and firewalls. Things like half-open connections and all manner of malformed/wacked packets. Just about anything leaks if you pound on it hard enough, and TCP/IP are ancient protocols. But you can sure take the low-hanging security fruit, and I would put NAT in that category.

Oh yeah…DD-WRT is nice
Some Buffalo routers even comes with DD-WRT already installed

NAT is better than nothing…but far from secure of course

I used to develop a linux software firewall called SmoothWall had a falling out

Pretty cool having an old busted 233mhz Pentium computer and a couple of NIC cards w/ active threat protection in place using SNORT

Always better to have something between your LAN and the big bad interwebz even if it’s an old archaic firewall protocol, but yes…NAT is not the premier firewall, but it’s better than nothing.

But that was a LOOONG time ago in a galaxy far far away

WarHawk, you use to contribute to smoothwall? :beer: Work on any other distro or OSS project?