Intrusion detection

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft Internet Security and Acceleration (ISA) Server features intrusion detection, which identifies when an attack is attempted against your network and performs a set of configured actions, or alerts, in case of an attack. The following ISA Server events are considered intrusions:

  • All ports scan attack

  • IP half scan attack

  • Land attack

  • Ping of death attack

  • UDP bomb attack

  • Windows out of band attack

Intrusion detection functionality based on technology from Internet Security Systems, Inc., Atlanta, GA, USA, www.iss.net. Portions Copyright 2000 Internet Security Systems, Inc.

For more information, see Configuring intrusion detection.

All ports scan attack

This alert notifies you that an attempt was made to access more than the preconfigured number of ports. You can specify a threshold, indicating the number of ports that can be accessed.

Enumerated port scan attack

This alert notifies you that an attempt was made to count the services running on a computer by probing each port for a response.

If this alert occurs, you should identify the source of the port scan. Compare this with the services that are running on the target computer. Also, identify the source and intent of the scan. Check the access logs for indications of unauthorized access. If you do detect indications of unauthorized access, you should consider the system compromised and take appropriate action.

IP half scan attack

This alert notifies that repeated attempts to a destination computer were made, and no corresponding ACK packets were communicated.

A standard transmission control protocol (TCP) connection is established by sending a SYN packet to the destination computer. If the destination is waiting for a connection on the specified port, it responds with a SYN/ACK packet. The initial sender replies with an ACK packet, and the connection is established. If the destination computer is not waiting for a connection on the specified port, it responds with an RST packet.

Most system logs do not log completed connections until the final ACK packet is received from the source. Sending an RST packet instead of the final ACK results in the connection never actually being established and, therefore, the connection is not logged. Because the source can identify whether the destination sent a SYN/ACK or RST packet, an attacker can determine exactly which ports are open for connections, without the destination being aware of the probing.

If this alert occurs, log the address from which the scan occurs. If appropriate, configure the ISA Server policy rules or Internet Protocol (IP) packet filters to block traffic from the source of the scans.

Land attack

This alert notifies you that a TCP SYN packet was sent with a spoofed source IP address and port number that matches that of the destination IP address and port. If the attack is successfully mounted, it can cause some TCP implementation to go into a loop that crashes the computer.

If this alert occurs, configure the ISA Server policy rules or IP packet filters to inhibit traffic from the source of the scans.

Ping of death attack

This alert notifies you that a large amount of information was appended to an Internet Control Message Protocol (ICMP) echo request (ping) packet. If the attack is successfully mounted, a kernel buffer overflows when the computer attempts to respond, which crashes the computer.

If this alert occurs, create a protocol rule that specifically denies incoming ICMP echo request packets from the Internet.

UDP bomb attack

This alert notifies you that there is an attempt to send an illegal User Datagram Protocol (UDP) packet. A UDP packet that is constructed with illegal values in certain fields will cause some older operating systems to crash when the packet is received. If the target machine does crash, it is often difficult to determine the cause.

Windows out-of-band attack

This alert notifies you that there was an out-of-band denial-of-service attack attempted against a computer protected by ISA Server. If mounted successfully, this attack causes the computer to crash or causes a loss of network connectivity on vulnerable computers.

Intrusion detection functionality is based on technology from Internet Security Systems, Inc., Atlanta, Georgia, United States of America.