Learn How Your ISA Server Helps Block CAN-2005-0688 (Land Attack Vulnerability) Traffic

This page was first published on Wednesday, June 15, 2005.

The first course of action taken against CAN-2005-0688 must be protecting and patching all affected computers.  Details of this issue can be found here.

The following information explains how to use Microsoft Internet Security and Acceleration (ISA) Server 2000 and 2004 to help block malicious traffic as described in CAN-2005-0688 and to protect computers on internal networks. Servers running ISA Server 2000 in cache mode cannot restrict CAN-2005-0688 traffic. Additionally, ISA 2000 does not perform packet filtering on traffic received from LAT-based hosts.  ISA Server 2004 has no such limitations.

The first section of this article contains technical details about CAN-2005-0688:

  • Affected Traffic

This article also discusses how ISA Server can mitigate a CAN-2005-0688 attack:

  • Protecting internal networks from external attack with ISA Server
  • Helping to prevent outbound CAN-2005-0688 attacks through ISA Server
  • Protecting the ISA Server computer from CAN-2005-0688 attacks

This article also discusses:

  • How to Make Sure ISA Server 2000 Is Correctly Configured
  • How to Make Sure that ISA Server 2004 Is Correctly Configured


Affected Traffic

Protecting Internal Networks from External Attack with ISA Server

Helping to Prevent Outbound CAN-2005-0688 Attacks Through ISA Server

Protecting the ISA Server Computer from CAN-2005-0688 Attacks

How to Make Sure that ISA Server 2000 Is Correctly Configured

How to Make Sure that ISA Server 2004 Is Correctly Configured

For More Information

Microsoft makes no warranties about this information. In no event shall Microsoft be liable for any damages whatsoever arising out of or with the use or spread of this information. Any use of this information is at the user’s own risk.

Table 1 lists affected traffic known to be used by CAN-2005-0688. This data is current as of 10:40 AM Wednesday, March 30, 2005.

# Protocol Command Known to Be Used by CAN-2005-0688?


Any IP

Source-IP = Victim IP


ISA Server 2000 in firewall or integrated modes will block CAN-2005-0688 packets if all of the following is true:

  • Packet Filtering is enabled
  • The LAT is properly configured

ISA Server 2004 blocks all CAN-2005-0688 packets.

For the network protected by a server running ISA Server to be vulnerable from outside attack, specific rules would need to be written to allow traffic on these ports.

  • DO enable Internet protocol (IP) packet filtering for ISA 2000.
    Customers who have not enabled IP packet filtering should review that procedure on this page.

Because ISA 2000 performs source-NAT on all outbound traffic, it will not be able to translate this traffic and will drop it.  ISA 2004 will recognize this traffic as “spoofed” and drop it.

A Windows server that has ISA Server 2000 installed is only vulnerable to attack by CAN-2005-0688 if ISA Server is operating in:

  • Cache mode
  • Firewall or Integrated mode with a misconfigured LAT
  • Firewall or Integrated mode with Packet Filtering disabled

..or the traffic originates from the LAT.

A Windows server that has ISA Server 2004 installed is not vulnerable to CAN-2005-0688 traffic.

To enable IP packet filtering:

  1. In ISA Management, expand Servers and Arrays, <ISA Server name>, Access Policy.
  2. Right-click IP Packet Filters, select Properties.
  3. Check the Enable Packet Filtering box.

ISA 2004 requires no additional configuration to block this traffic.