Intrusion detection
ISA Server features an intrusion detection mechanism, which identifies when an attack is attempted against your network and performs a set of configured actions, or alerts, in case of an attack. To detect unwanted intruders, ISA Server compares network traffic and log entries to well-known attack methods. Suspicious activities trigger alerts. Actions include connection termination, service termination, e-mail alerts, logging, and others.
If intrusion detection is enabled, you can configure which of the following intrusions triggers alerts:
- All ports scan attack
- Enumerated port scan attack
- IP half scan attack
- Land attack
- Ping of death attack
- UDP bomb attack
- Windows out-of-band attack
Intrusion detection functionality is based on technology from Internet Security Systems, Inc., Atlanta, GA, U.S., www.iss.net. Portions copyright ©2000 Internet Security Systems, Inc.
All ports scan attack
This alert notifies you that an attempt was made to access more than the preconfigured number of ports. You can specify a threshold, indicating the number of ports that can be accessed.
Enumerated port scan attack
This alert notifies you that an attempt was made to count the services running on a computer by probing each port for a response.
If this alert occurs, you should identify the source of the port scan. Compare this with the services that are running on the target computer. Also, identify the source and intent of the scan. Check the access logs for indications of unauthorized access. If you do detect indications of unauthorized access, you should consider the system compromised and take appropriate action.
IP half scan attack
This alert notifies you that repeated attempts to a destination computer were made, and no corresponding ACK packets were communicated.
A standard TCP connection is established by sending a SYN packet to the destination computer. If the destination is waiting for a connection on the specified port, it responds with a SYN/ACK packet. The initial sender replies with an ACK packet, and the connection is established. If the destination computer is not waiting for a connection on the specified port, it responds with an RST packet.
Most system logs do not log completed connections until the final ACK packet is received from the source. Sending an RST packet instead of the final ACK results in the connection never actually being established and, therefore, the connection is not logged. Because the source can identify whether the destination sent a SYN/ACK or RST packet, an attacker can determine exactly which ports are open for connections, without the destination being aware of the probing.
If this alert occurs, log the address from which the scan occurs. If appropriate, configure access policy rules to block traffic from the source of the scans.
Land attack
This alert notifies you that a TCP SYN packet was sent with a spoofed source IP address and port number that matches that of the destination IP address and port. If the attack is successfully mounted, it can cause some TCP implementations to go into a loop that causes the computer to fail.
If this alert occurs, configure the ISA Server policy rules or IP packet filters to inhibit traffic from the source of the scans.
Ping of death attack
This alert notifies you that a large amount of information was appended to an Internet Control Message Protocol (ICMP) echo request (ping) packet. If the attack is successfully mounted, a kernel buffer overflows when the computer attempts to respond, which causes the computer to fail.
If this alert occurs, create an access rule that specifically denies incoming ICMP echo request packets from the Internet.
UDP bomb attack
This alert notifies you that there is an attempt to send an illegal User Datagram Protocol (UDP) packet. A UDP packet that is constructed with illegal values in certain fields will cause some older operating systems to fail, when the packet is received. If the target machine does fail, it is often difficult to determine the cause.
Windows out-of-band attack
This alert notifies you that there was an out-of-band denial-of-service attack attempted against a computer protected by ISA Server. If mounted successfully, this attack causes the computer to fail or causes a loss of network connectivity on vulnerable computers.
