Learn How Your ISA Server Helps Block CAN-2005-0688 (Land Attack Vulnerability) Traffic
|This page was first published on Wednesday, June 15, 2005.|
The first course of action taken against CAN-2005-0688 must be protecting and patching all affected computers. Details of this issue can be found here.
The following information explains how to use Microsoft Internet Security and Acceleration (ISA) Server 2000 and 2004 to help block malicious traffic as described in CAN-2005-0688 and to protect computers on internal networks. Servers running ISA Server 2000 in cache mode cannot restrict CAN-2005-0688 traffic. Additionally, ISA 2000 does not perform packet filtering on traffic received from LAT-based hosts. ISA Server 2004 has no such limitations.
The first section of this article contains technical details about CAN-2005-0688:
This article also discusses how ISA Server can mitigate a CAN-2005-0688 attack:
Protecting internal networks from external attack with ISA Server
Helping to prevent outbound CAN-2005-0688 attacks through ISA Server
Protecting the ISA Server computer from CAN-2005-0688 attacks
This article also discusses:
How to Make Sure ISA Server 2000 Is Correctly Configured
How to Make Sure that ISA Server 2004 Is Correctly Configured
ISA Server 2000 in firewall or integrated modes will block CAN-2005-0688 packets if all of the following is true:
Packet Filtering is enabled
The LAT is properly configured
ISA Server 2004 blocks all CAN-2005-0688 packets.
For the network protected by a server running ISA Server to be vulnerable from outside attack, specific rules would need to be written to allow traffic on these ports.
DO enable Internet protocol (IP) packet filtering for ISA 2000.
Note: Customers who have not enabled IP packet filtering should review that procedure on this page.
A Windows server that has ISA Server 2000 installed is only vulnerable to attack by CAN-2005-0688 if ISA Server is operating in:
Firewall or Integrated mode with a misconfigured LAT
Firewall or Integrated mode with Packet Filtering disabled
..or the traffic originates from the LAT.
A Windows server that has ISA Server 2004 installed is not vulnerable to CAN-2005-0688 traffic.