Learn How Your ISA Server Helps Block CAN-2005-0048 Traffic

  • Article

Note

This page was first published on Wednesday, June 15, 2005.

The first course of action taken against CAN-2005-0048 must be protecting and patching all affected computers.  Details of this issue can be found here.

The following information explains how to use Microsoft Internet Security and Acceleration (ISA) Server 2000 and 2004 to help block malicious traffic as described in CAN-2005-0048 and to protect computers on internal networks. Servers running ISA Server 2000 in cache mode cannot restrict CAN-2005-0048 traffic. Additionally, ISA 2000 does not perform packet filtering on traffic received from LAT-based hosts.  ISA Server 2004 has no such limitations.

The first section of this article contains technical details about CAN-2005-0048:

  • Affected Traffic

This article also discusses how ISA Server can mitigate a CAN-2005-0048 attack:

  • Protecting internal networks from external attack with ISA Server
  • Helping to prevent outbound CAN-2005-0048 attacks through ISA Server
  • Protecting the ISA Server computer from CAN-2005-0048 attacks

This article also discusses:

  • How to Make Sure ISA Server 2000 Is Correctly Configured
  • How to Make Sure that ISA Server 2004 Is Correctly Configured

Disclaimer

Affected Traffic

Protecting Internal Networks from External Attack with ISA Server

Helping to Prevent Outbound CAN-2005-0048 Attacks Through ISA Server

Protecting the ISA Server Computer from CAN-2005-0048 Attacks

How to Make Sure that ISA Server 2000 Is Correctly Configured

How to Make Sure that ISA Server 2004 Is Correctly Configured

For More Information

Disclaimer

Microsoft makes no warranties about this information. In no event shall Microsoft be liable for any damages whatsoever arising out of or with the use or spread of this information. Any use of this information is at the user’s own risk.

Affected Traffic

Table 1 lists affected traffic known to be used by CAN-2005-0048. This data is current as of 3:26 PM Monday, March 28, 2005.

# IP Protocol Header Known to Be Used by CAN-2005-0048?

1

Any

IP Options

Yes

Note

Unless you know that your network is configured to use specific IP Options, you can safely enable this setting.

Protecting Internal Networks from External Attack with ISA Server

ISA Server 2000 in firewall or integrated modes will block CAN-2005-0048 packets if all of the following is true:

  • Packet Filtering is enabled
  • IP Options filtering is enabled

ISA Server 2004 blocks all CAN-2005-0048 packets if IP Option filtering is enabled, even if no IP Options are selected.

For the network protected by a server running ISA Server to be vulnerable from outside attack, specific rules would need to be written to allow traffic on these ports.

  • DO enable Internet protocol (IP) packet filtering for ISA 2000.

  • DO enable IP Options filtering for ISA 2000 and ISA 2004.

    Note

    Customers who have not enabled IP packet filtering should review that procedure on this page.

Helping to Prevent Outbound CAN-2005-0048 Attacks Through ISA Server

Because ISA Server 2000 does not apply packet filtering to traffic originating within the LAT, it is not able to prevent the spread of CAN-2005-0048 to external networks by default.   ISA 2004 performs packet filtering on traffic from all networks and so prevents the spread of this traffic outside your network.

Protecting the ISA Server Computer from CAN-2005-0048 Attacks

A Windows 2000 server that has ISA Server 2000 installed is only vulnerable to attack by CAN-2005-0048 if ISA Server is operating in:

  1. Cache mode
  2. Firewall or Integrated mode with a misconfigured LAT
  3. Firewall or Integrated mode with Packet Filtering and IP Options filtering disabled

..or the traffic originates from the LAT.

A Windows 2000 server that has ISA Server 2004 installed is only vulnerable to attack by CAN-2005-0048 if IP Options filtering has been disabled.

How to Make Sure that ISA Server 2000 Is Correctly Configured

To enable IP packet filtering:

  1. In ISA Management, expand Servers and Arrays, <ISA Server name>, Access Policy.
  2. Right-click IP Packet Filters, select Properties.
  3. Check the Enable Packet Filtering box.

To enable IP Options filtering:

  1. In ISA Management, expand Servers and Arrays, <ISA Server name>, Access Policy.

  2. Right-click IP Packet Filters, select Properties.

  3. Select the Packet Filters tab

  4. Check the Enable filtering IP options box.

  5. Click Apply.

  6. Select Save the changes and restart the service(s)

  7. Click OK, then OK

    Note

    It may take up to 2 minutes before the services restart, depending on current traffic load experienced by the ISA

How to Make Sure that ISA Server 2004 Is Correctly Configured

To enable IP Options filtering default settings:

  1. In ISA Management, expand <ISA Server name>, then Configuration.
  2. Select General
  3. In the center pane, click Define IP Preferences
  4. In the IP Preferences window, select Enable IP option filtering
  5. In the IP options drop-down list, select Deny packets with the selected IP options

Note

Steps 6 through 8 are not required to block CAN-2005-0048, but are included to provide the installation defaults.

  1. Uncheck Show undefined IP options
  2. Uncheck Show only selected IP options
  3. In the options list, select:
    • Record Route (7)
    • Time Stamp (68)
    • Loose Source Route (131)
    • Strict Source Route (137)
  4. Click Apply, then OK
  5. When the Apply and Discard buttons appear in the center pane, click Apply
  6. When the Apply New Configuration dialog states “Changes to the configuration were successfully applied”, click OK

For More Information