I think f0dder and I are in complete agreement, in that an ounce of prevention is worth a pound of cure. e.g. Once hostile code has gained a foothold on a machine the battle
has already been lost.
There are 65,536 ports available in the TCP/IP stack and any of them can be leveraged for or against the machine using any number of services that are typically left running. i.e. NetSend Spam and the Messenger Service ... Anybody remember that annoying little game?
In a nut shell, there are really only two ways to hack a computer: Brute Forcing a session open, and Injecting code into an existing session to gain control of it. Any thing else is either a variation on the first two, or an attempt at Social Engineering ... Which is (hacking the user
) always the softest attack point in any security scheme. Why go through all the trouble of trying to defeat the locks and alarm systems if all you have to do is knock on the door, smile nice, say hello, and walk right in...!
Simple is best ... and success is results driven.
The latest batch of (direct machine attack based) fast and furious virus development is virtually non existent. Everything coming at us these days is some variation on a soft target user interactive socially engineered knock at the proverbial door. Drive by down loads (to be effective), require that one or more of the following are true:
You have been conned into visiting the site.
The sites server admin had their pants down and let the server get breached.
You were compelled to click on something, or your behind on security updates.
You were running with administrative rights on the local machine, which is required by and for the exploit to gain and maintain control of the machine.
Note: I have to be somewhere so I've got to go now, I'll try to expand on this later ... I'm guessing is fairly easy to guess where I'm headed with it.
So... Who is it we're trying to protect "Our Stuff" from? Hackers? The news media has managed to spin that term into a completely useless Pavlovian reflex that has people stampeding into hiding to surrender they're wallets to whom ever wishes to claim that they can protect them from "Evil" (Much like a talisman in the dark ages...). *Snicker*
In the current Internet environment most of the problem children are using Phishing scams. That cleanly puts marketing companies and identity thieves into the same boat as they are both after the same thing, and have the same amount of scruples (e.g. None). The best target is the softest one and the softest one is the user. So unless there is a firewall that operates a third hand that pops out of the desk and slap the user in the head when they click on things that they shouldn't ... Then firewalls are simply not effective in that regard.
Will a software firewall prevent your computer from being a willing zombie participant in a DoS/DDoS attack? Maybe. But mitigating the damage and preventing it are worlds apart. If a Trojan can be prevented from gaining control of your machine in the first place (Privilege Restriction...) there's no need to try and corral it. Most people have home networks these days. Software firewalls get configured to freely allow communication between machines on the local network. So even if the rest of the world is "Protected" from your carefully firewalled stupidity ... Your LAN is still ToasT. <-That is not a solution.