[RESOLVED] ZoneAlarm, Noscript, and blocking dangerous sites

[dhouwn]

Oops, I meant the "Windows Command Processor" cmd.exe.
"route print" without the quotes.

[Tom T.]

Oops, I meant the "Windows Command Processor" cmd.exe.

That's what I tried.

Command line does not recognize that command

This machine has been heavily trimmed of stuff I don't need, don't want, or even may be dangerous. That's why the %windir% is only 178 MB, and the entire HD usage is about 900 MB. Reduces attack surface by 90+%, and makes an older, low-end laptop quite fast. I'll have to try it when I pull out the untrimmed backup machine for the next MS Patch Tuesday.

But this source cites something like what you said:

Code: Select all

Active Routes:

Network  Destination  Netmask      Gateway      Interface Metric
0.0.0.0  0.0.0.0     127.16.8.14 127.16.8.14      1

So yes, it looks like there is a network address of 0000, but its destination is also 0000. Still looks like a good black hole for Hosts redirection of unwanted sites.

[GµårÐïåñ]

I have said about all I am going to say about networking portion of the discussion but just one last thing about the 0.0.0.0 it is known loosely by many as the "escape" route and its often used by routers who have no route for an address to just send it outside of their own network and into the next hop (be it a gateway or whatever) to see if THEY have a route, if so then they will handle it, otherwise it just dies. Hence why its called the ultimate route as it is an absolute wildcard. Now Tom, you may not see it in the general router interfaces, you need to look in the part of your routers where they keep "static" routes or "system" routes to see it, as it is general done by default and not left up to the user's volition to change. In higher networking, like Cisco/Juniper industrial configurations, you actually as the router admin have absolute control over it and in fact MUST find the most appropriate way to handle it to ensure that dynamic protocols like EIGRP, IGRP, RIP, RIPv2, OSPF and etc, don't change it and by manually and statically setting certain routes, you protect against route poisoning and often even considered a 'security' measure of sorts. Anyway, I won't comment any more and to each their own as to what they understand and want to accept or not but wanted to make that one last clarification. All take it for what its worth.

[Tom T.]

Now Tom, you may not see it in the general router interfaces, you need to look in the part of your routers where they keep "static" routes or "system" routes to see it,

How would I do that?

And what destination address would you suggest for the Hosts file "black hole", so that requests to unwanted sites never leave the machine itself?

[GµårÐïåñ]

How would I do that?

To be honest since the days of my last Linksys WRT54GX version 2 (SRX) router, I have not looked at an admin panel for a consumer model Linxsys which is now owned by Cisco. However, if you have not changed the default "router address" then typing 192.168.1.1 should take you to the admin page. The default password used to be admin (no username) unless they changed that, some older ones were admin/admin or admin/letmein but anyway, I digress. Whatever your router IP is, and if you are not sure, look in the property of your NIC/Wireless card adn you will it listed under the "gateway" address" and it will be somewhere in the standard 192.168.1.1 or 192.168.0.1 or somewhere within the 255.255.255.0 subnet mask range with at /24 simple gives you .2-.253 as valid addresses. The .0 is the network or adapters own address, the first available IP, usually .1 is assigned to the router interface and then from there .2 through .253 are available since .254 the last valid IP is always the broadcast address. The 0 and 254 are always unusable by conventional means. Once you are in there, there should be a tab for NAT, IIRC, and under there you should see your routes and if not then under the advanced panel within that section. I can pull out my old one and boot it up and see the path if you like, but you should be able to find it.

And what destination address would you suggest for the Hosts file "black hole", so that requests to unwanted sites never leave the machine itself?

That is a tricky question and as I tried to elude to earlier, depends on the way your have your topology configured. Say you have your router sitting at 192.168.1.1, you have no fixed IPs, and have enabled DHCP from range .10 - .50 then effectively any address that appears after .51 and not including the broadcast which is .254, would presumably never be used, therefore any of those would serve as a good blackhole, to give homage to the devil, use .66 or to give homage to the sixties, go with .69 but anything from .51 to .253 would work as a good dead IP.

Jokes aside thought, it comes down to - which IP will NEVER have anything there to respond - so therefore you send something there, nothing to acknowledge, accept or reply, it will just DIE and won't require your router to "validate" the communication, because it will never get a reply.

[Tom T.]

Yes, of course I know how to get to my router's admin page, and have user-set many things. But as posted somewhat above, nowhere did I find the address 0.0.0.0. So if there is some secret hiding place for it, yes, you would have to pull it out of storage and find it. But please don't feel obligated.

Wouldn't sending things to an out-of-range, but still LAN-routable, address, still send packets to the router? The idea is that packets never leave the machine for the blacklisted sites. See the following:

Code: Select all

C:\WINDOWS\system32>ping 192.168.1.190

Pinging 192.168.1.190 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.190:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\WINDOWS\system32>ping 0.0.0.0

Pinging 0.0.0.0 with 32 bytes of data:

Destination specified is invalid.
Destination specified is invalid.
Destination specified is invalid.
Destination specified is invalid.

Ping statistics for 0.0.0.0:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), 

Note that with 192.x+, it still tried to send the packets, and the requests timed out. Which involves a delay of some number of seconds, since as you know a failed request is retried. Whereas with 0000, it responded *immediately*, "Hey, Stupid, there's no such place."

The former took about 20 seconds, while the latter took less than four seconds. (Try it yourself, on a non-web-server?) I think I'll stick with 0.0.0.0, thanks. ;)

[dhouwn]

therefore any of those would serve as a good blackhole

Again, why not use simply an invalid endpoint address like 0.0.0.0 or something.0? This way nothing might even be send out in the first place.

[Tom T.]

therefore any of those would serve as a good blackhole

Again, why not use simply an invalid endpoint address like 0.0.0.0 or something.0? This way nothing might even be send out in the first place.

My point exactly, and the difference in times required to run the above ping tests tends to support that LAN address will in fact be sent to the router, whereas 0000 disappears five times as quickly.

[GµårÐïåñ]

@Tom, keep in mind that when you are PINGING something, you are ACTIVELY requesting a reply, which means it HAS to wait for a reply, but if you simply forwarded a packet to it, it would die as it is not actively requesting a FRAME. But as to why the 0.0.0.0 died immediately, because most consumer model routers simply hide that in the routing table as a static failsafe to the ISP and won't allow the private range IPs, aka 192. 172. 10. addresses to have direct access to it, BECAUSE it will ALWAYS have a way out and defeat the purpose of looping a bad domain to the ultimate route out to the web, doesn't it? So by default on consumer models that is blocked by the router firewall. If you were using an industrial router, you would have a MUCH different response. To be safe against any chance that the firewall might be off or the router might have a bad OS that doesn't account for this, I recommend against using 0.0.0.0 but since @dhouwn seems to be absolutely rabid for it, knock yourself out, up to you.

[dhouwn]

But it doesn't even reach the router, to cite Giorgio:

I can swear about Firefox internals: invalid addresses like 0.0.0.0 or 255.255.255.0 don’t generate any network traffic, and their rejection is immediate: therefore they’re a far better candidate for adblocking.

It's never a valid endpoint address, it gets rejected immediately.

[GµårÐïåñ]

Yes if the conditions _I_ cited is in effect, mainly consumer grade router with that address blocked by the internal firewall. I am not going to keep debating this, if you want me to say you are right, fine, you are right. Happy? No skin off my ass.

[Tom T.]

Yes if the conditions _I_ cited is in effect, mainly consumer grade router

Settle down, guys.

As I said to GµårÐïåñ here,

I believe that your information is based on the fact that you run a web server from your home or office or whatever ... I am a basic home user, addressing similar home users who might have a LAN, but no publicly-available web server (disregarding online gaming, IM, and some other apps that sometimes make the machine behave like a server in some regards).

Most of this forum is for home users. Enterprises and servers will naturally have different needs.

So: Giorgio, dhouwn, and I agree that 0000 is fine, and GµårÐïåñ agrees that it's fine for home users.

GµårÐïåñ warns enterprises and/or web servers to investigate their own internal network structure before messing with Hosts.

Agreed?

May we close out this discussion now?

[GµårÐïåñ]

Yessum