uTorrent Causing IP Spoofing Alarms on Outpost Firewall.

[Dantro]

OS: Windows XP SP2 5.1 build 2600

Firewall: Agnitum Outpost Pro 3.0.543.5722 (431)

AV: Kaspersky Personal Pro

Dial-Up Hardware: Thomson SpeedTouch 330 USB

I've been using Outpost firewall for about 2 years now and have NEVER had a problem with my internet connection. I installed uTorrent about 3 weeks ago after switching from Azureus and I am now experiencing a lot of frustration and problems. uTorrent is somehow causing the Outpost firewall to report malicious IP Spoofing on continuously changing MAC addresses (I run my own business and have 2 x Mac G5's and 2 x high-end PC's networked together). Outpost then does what it's coded to do in the event of IP Spoofing..... disconnect the dial-up from the Internet. I contacted Agnitum's Tech Support and in accordance with their advice, I've tried changing a few of the settings but nothing has cured the problem. At that point they gave up and told me to contact you guys. Has anybody else using Outpost experienced the same problems and is there a work-around or cure for this problem?

[Dantro]

Further information to my original posting about uTorrent causing IP Spoofing alarms on Agnitum Outpost Pro

Last night I tried all of the following Torrent clients in tandem with Agnitum Outpost Pro and achieved the following results:-

BitTorrent - works 100% OK

BitComet - works 100% OK

Azureus - works 100% OK

ABC Torrent - works 100% OK

BitLord - works 100% OK

uTorrent - continuously causes IP Spoofing alarms and disconnection from the Internet...... Houston.... We have a problem!!!

[Miffo]

My experience:

Outpost= Nothing but trouble, period

[Switeck]

What settings are you (trying to) using in µTorrent.

You said you're on dial-up, but µTorrent's default settings can overload broadband connections on good torrents!

[abbad0n]

Every couple of weeks I have that same problem with WinXP's (SP2) firewall (not sure if the problem is that I have wifi for my internet access, and ethernet to a direct NAS box - maybe if I made the firewall to only wifi interface?). Luckily I can just turn the firewall off then on and it fixes it. Rather irritating that my torrents are disconnected until it gets fixed.

[Dantro]

Switeck: Yes I'm on a dial-up but it's an 8Mb/s connection. I did all of the recommended speed tests and set up µTorrent exactly as per the instructions and the info in the FAQ. I am able to "Force D/L" 10-14 torrents simultaneously with Azureus and that never throws up or causes any alarms on the Outpost firewall. Overloading the dial-up is not causing the problem. It has to be some something else. I can get µTorrent working fine but only if I kill or overide the "Ethernet Attack Detection" that's built into Outpost Pro. I'm not happy about doing that because it was put there for a reason :-)

Miffo: You're comments about Outpost Pro are a bit surprising. It's a superb and very easy-to-configure firewall. Outpost Pro and ZoneAlarm were the only 2 firewalls to successfully catch and report 14 of the best leak detection tests. Don't just worry about keeping inbound traffic out.... think also about the outbound traffic that might be leaking out straight through your firewall without you even knowing about it :-(

I have tested them all.... BitDefender, Norton, Sygate, Panda etc etc. Believe me.... Outpost Pro is the dog's bollocks :-)

[maxwedge]

I had the same issue, heres what I did, plug-ins, attack detection, right click for properties, on the ethernet tab uncheck block intruders ip when he spoofs his ip address!

No problems since, I was a tiny firewall user for a long time, then it was kerio,now outpost, I found that most had a little bit of a learning curve, but a little reading and it comes to you!

hope this helps

]v[ax

[Dantro]

maxwedge: That's precisely what I was talking about in my last posting. I can get µTorrent working fine but only if I overide the "Ethernet Attack Detection" but as I said, we shouldn't have to do that. It was put there for a reason, namely to read and check for malformed packet headers and IP Spoofing on both inbound and outbound ethernet traffic (something that a lot of hardware routers can't do). Disabling it just because of µTorrent isn't the solution. Other Bit Torrent clients work fine with Outpost so what is causing µTorrent to behave differently? I guess the solution for me is to just carry on with Azureus. I'll try µTorrent again at a later date when it's fully sorted.

[Miffo]

Well i had major problems when i tested it last time. And Zonealarm, i wont even comment on that one

[Dantro]

Miffo: What problems did you have with Outpost Pro when you tested it? I do appreciate that ZoneAlarm Pro has a very steep learning curve but for those who are prepared to invest the RTFM time, it's still one of the better software firewalls currently available. Without mentioning the word "Router", would you care to enlighten us all and tell us what (in your opinion) is the best software firewall currently available?

Maxwedge: I think I have found something which contributes partly towards resolving the problem. Open up "Attack Detecton" then click on the "Advanced" tab. At the bottom of the pop-up menu click on "Exclusions - Ports". Set this to TRUST both TCP and UDP connections on the ports which µTorrent is binding to (in my case Port 32459) and suddenly the whole picture changes. Instead of reporting IP Spoofing attacks and disconnecting every 10-20mins, alarms don't appear as frequently. I managed to stay online and downloading with µTorrent for about 5-6hrs between the IP Spoofing alarms. It would appear that UDP binding of the port has something to do with it. I'm pretty tenacious and haven't given up yet :-)

[Switeck]

It would appear that UDP binding of the port has something to do with it. I'm pretty tenacious and haven't given up yet :-)

Malformed UDP packets maybe...either due to overloaded upload connections or hostile ISPs?

[maxwedge]

I'm not over riding the whole ethernet detection plug in, just the spoofed ip part of it

everything else is as it was, I'm not overly worried about someone changing the MAC address on their nic!

I still get warnings regarding other attacks, difference being I don't lose my connection to the net because of outpost blocking all traffic!

[Dantro]

SWITECK: I don't think it's because of overloaded upload connections and I definitely don't have a hostile ISP. I know they ping all connections at regular intervals to drop the "idlers" and keep the ratios up but that (according to my Outpost logs) appears to be taking place on the DCOM (135) and HTTP (80).

Anyway, it now looks like we have (between us all) resolved the conflict problem of Outpost and µTorrent :-)

My "Ethernet Attack Detection" properties are currently set to NOT "Block an intruder when he spoofs his IP address" and I have allowed all UDP traffic on port 32459. My 8Mb/s dial-up is enabling me to simultaneously D/L as many as 16 torrents with the U/L speed set at 120Kb/s.

The best thing is....... not one single alarm being reported by Outpost during the past 48hrs :-)

[chaosblade]

As a somewhat alternative suggestion if one wishs to change his firewall, I have recently started using Look'n'Stop firewall. Works great with p2p and does its job very well.

[Dantro]

CHAOSBLADE: If I were you I would get rid of "Look 'n' Stop" immediately. It performs very well on the leak tests but it is completely useless as an anti-hacking deterrent. When I tested it (straight out of the box) I went to all of the better online firewall testing sites (Shields Up - Sygate etc). All of them reported 11 very significant ports as "Closed". That is not the idea of sitting behind a firewall. You should be totally "Stealthed" and invisible to the outside world. Any hacker scanning my PC's and network will not get a response and as far as he is concerned, no PC's exist at my IP address. In your case (with Look 'n' Stop) he will get a response that certain posts are "Closed" and he will know straight away that a PC exists at the address he is scanning. NOT GOOD :-(

Get rid of Look 'n' Stop and install either Outpost Pro or ZoneAlarm Pro. Total stealth - nothing getting in - nothing leaking out :-)

[Firon]

That's actually not true, it would be very obvious to any "hacker" that your PC exists, because if you didn't exist, I do believe there would be a "No route to host" error. Obviously, that doesn't happen when you're stealthed, so again, it's quite obvious you exist. Sorry to burst your bubble.

[Dantro]

Firon: That's a good point and you're absolutely correct but without going into the realms of nMap and other tools I think we can all agree that as a defence against Joe Bloggs and "kiddie script" port scanners, "Stealth" is definitely more preferable to "Closed".

[Switeck]

Any firewall which cannot withstand the kind of traffic µTorrent can generate doesn't even merit considering a good firewall. A real threat might treat such a firewall as the toy it is.

UDP packets from my view seems a likely candidate for the "ip spoofing" Outpost Firewall claims to see.

Possibly not even malformed ones.

Even nat-transversal is a mild form of ip spoofing. While it's true µTorrent doesn't support that, the sending clients may not recognize that.

[Dantro]

Switeck: Agreed on that point. As soon as I permitted UDP traffic on port 32459 and "excluded" it from the Attack Detection filtering, the alarms were far less frequent. Maybe Agnitum should consider adding a MAC Address tab to the Attack Detection system :-)

[chaosblade]

Actually, With the default set of enhanced rules in LNS, I passed the ShieldsUP! test completely. That, and the fact its safe against 99% of the leaktests. To add on that, i completely blocked "port unreachable" and "host unreachable" ICMP messages being sent from my comp. So the only port that MIGHT be visible here instead of stealthed is 113, IRC IDENT.

[Dantro]

chaosblade: Wow!!! I didn't realise an enhanced ruleset was available for LnS but I have to admit.... I am impressed now. As I said in my posting.... I tested it "straight out of the box" so I have gone back to it for a second look.

It was a buggar to set up on 4 networked machines plus a laptop because I had to install it on each one and then individually configure the MAC address access for all of them before they could communicate with each other. I got there in the end though.

LnS is one VERY impressive firewall. Thanks for the tip :-)