Intrusion detection filters

Microsoft Internet Security and Acceleration (ISA) Server 2006 includes intrusion detection filters:

• The DNS intrusion detection filter works with DNS server publishing rules. The filter intercepts and analyzes all inbound DNS traffic destined for the Internal network.
• The POP3 application filter checks for Post Office Protocol version 3 (POP3) buffer overflow attacks.

DNS filter

The DNS application filter, installed with ISA Server, intercepts and analyzes DNS traffic destined for the Internal network. The DNS filter is the backbone of the ISA Server intrusion detection mechanism. Intrusion detection identifies when an attack is attempted against your network and performs a set of configured actions, or alerts, in case of an attack. To detect unwanted intruders, ISA Server compares network traffic and log entries to well-known attack methods. Suspicious activities trigger alerts. Actions include connection termination, service termination, e-mail alerts, logging, and others.

For instructions, see Enable intrusion detection of common attacks and Enable intrusion detection of DNS attacks.

If intrusion detection is enabled, you can configure which of the following intrusions triggers alerts:

• All ports scan attack
• Enumerated port scan attack
• IP half scan attack
• Land attack
• Ping of Death attack
• UDP bomb attack
• Windows out-of-band attack

In addition, you can configure which of the following DNS attacks triggers alerts:

• DNS host name overflow. A DNS host name overflow occurs when a DNS response for a host name exceeds a certain fixed length (255 bytes). Applications that do not check the length of the host names may return overflow internal buffers when copying this host name, allowing a remote attacker to execute arbitrary commands on a targeted computer.
• DNS length overflow. DNS responses for Internet Protocol (IP) addresses contain a length field, which should be 4 bytes. By formatting a DNS response with a larger value, some applications executing DNS lookups will overflow internal buffers, allowing a remote attacker to execute arbitrary commands on a targeted computer.
  ISA Server also checks that the value of RDLength does not exceed the size of the rest of the DNS response.
• DNS zone transfer. A DNS zone transfer occurs when a client system uses a DNS client application to transfer zones from an internal DNS server, from any source port.

All ports scan attack

This alert notifies you that an attempt was made to access more than the preconfigured number of ports. You can specify a threshold, indicating the number of ports that can be accessed.

Enumerated port scan attack

This alert notifies you that an attempt was made to count the services running on a computer by probing each port for a response.

If this alert occurs, you should identify the source of the port scan. Compare this with the services that are running on the target computer. Also, identify the source and intent of the scan. Check the access logs for indications of unauthorized access. If you do detect indications of unauthorized access, you should consider the system compromised and take appropriate action.

IP half scan attack

This alert notifies that repeated attempts to send Transmission Control Protocol (TCP) packets with invalid flags were made.

During a normal TCP connection, the source initiates the connection by sending a SYN packet to a port on the destination system. If a service is listening on that port, the service responds with a SYN/ACK packet. The client initiating the connection then responds with an ACK packet, and the connection is established. If the destination host is not waiting for a connection on the specified port, it responds with an RST packet. Most system logs do not log completed connections until the final ACK packet is received from the source. Sending other types of packets that do not follow this sequence can elicit useful responses from the target host, without causing a connection to be logged. This is known as a TCP half scan, or a stealth scan, because it does not generate a log entry on the scanned host.

If this alert occurs, log the address from which the scan occurs. If appropriate, configure the ISA Server rules to block traffic from the source of the scans.

Land attack

This alert notifies you that a TCP SYN packet was sent with a spoofed source IP address and port number that matches that of the destination IP address and port. If the attack is successfully mounted, it can cause some TCP implementations to go into a loop that causes the computer to fail.

Ping of Death attack

This alert notifies you that an IP fragment was received with more data than the maximum IP packet size. If the attack is successfully mounted, a kernel buffer overflows, which causes the computer to fail.

UDP bomb attack

This alert notifies you that there is an attempt to send an illegal User Datagram Protocol (UDP) packet. A UDP packet that is constructed with illegal values in certain fields will cause some older operating systems to fail, when the packet is received. If the target machine does fail, it is often difficult to determine the cause.

Windows out-of-band attack

This alert notifies you that there was an out-of-band denial of service attack attempted against a computer protected by ISA Server. If mounted successfully, this attack causes the computer to fail or causes a loss of network connectivity on vulnerable computers.

POP filter

The Post Office Protocol (POP) filter intercepts and analyzes POP traffic destined for the Internal network. Specifically, the application filter checks for POP buffer overflow attacks.

A POP buffer overflow attack occurs when a remote attacker attempts to gain root access of a POP server by overflowing an internal buffer on the server.

---

Get latest ISA Server content at ISA Server Guidance. Send feedback about this page.

• English-to-Russian translation