This topic is designed to help you plan to protect your Forefront TMG network against common attacks and Domain Name System (DNS) attacks. It describes:
Detection of common attacks
Common attacks include the following:
- Windows out-of-band (WinNuke) attack—An
attacker launches an out-of-band denial-of-service (DoS) attack
against a host protected by Forefront TMG. If the attack is
successful, it causes the computer to fail or a loss of network
connectivity on vulnerable computers.
- Land attack—An attacker sends a TCP SYN
packet with a spoofed source IP address that matches the IP address
of the targeted computer, and with a port number that is allowed by
the Forefront TMG policy rules, so that the targeted computer tries
to establish a TCP session with itself. If the attack is
successful, some TCP implementations could go into a loop causing
the computer to fail.
- Ping of death—An attacker attaches a large
amount of information, that exceeds the maximum IP packet size, to
an Internet Control Message Protocol (ICMP) echo (ping) request. If
the attack is successful, a kernel buffer overflows, causing the
computer to fail.
- IP half scan—An attacker repeatedly attempts
to connect to a targeted computer, but does not send ACK packets in
response to SYN/ACK packets. During a normal TCP connection, the
source initiates the connection by sending a SYN packet to a port
on the destination system. If a service is listening on that port,
the service responds with a SYN/ACK packet. The client that
initiates the connection then responds with an ACK packet, and the
connection is established. If the destination host is not waiting
for a connection on the specified port, it responds with an RST
packet. Most system logs do not log completed connections until the
final ACK packet is received from the source. Sending other types
of packets that do not follow this sequence can elicit useful
responses from the target host, without causing a connection to be
- UDP bomb—An attacker attempts to send a User
Datagram Protocol (UDP) datagram, with illegal values in certain
fields, which could cause some older operating systems to fail when
the datagram is received. By default, no alert is configured for
this type of attack.
- Port scan—An attacker attempts to count the
services that are running on a computer by probing each port for a
response. You can specify the number of ports that can be scanned
before an event is generated.
When Forefront TMG intrusion detection is enabled and offending packets are detected, they are dropped, and an event that triggers an Intrusion Detected alert is generated. By default, the Intrusion Detected alert is reset automatically after one minute, during which time Forefront TMG continues to block offending packets but without issuing an alert. You can configure this alert to send you an e-mail notification when it is triggered. You can also enable logging of the dropped packets.
The name of each type of detected attack corresponds to an additional condition in the definition of the Intrusion Detected event. For each additional condition (type of attack), you can define and enable an alert which specifies the actions to be taken in response to the event, and is issued by the Microsoft Firewall service, when all the conditions specified in the alert are met. The actions that can be triggered by an alert include: sending an e-mail message, invoking a command, writing to a log, and starting or stopping Forefront TMG services.
Detection of DNS attacks
The Forefront TMG Domain Name System (DNS) filter intercepts and analyzes all inbound DNS traffic that is destined for the internal network, and other protected networks. If DNS attack detection is enabled, you can specify that the DNS filter checks for the following types of suspicious activity:
- DNS host name overflow—When a DNS response
for a host name exceeds 255 bytes, applications that do not check
host name length may overflow internal buffers when copying this
host name, allowing a remote attacker to execute arbitrary commands
on a targeted computer.
- DNS length overflow—When a DNS response for
an IP address exceeds 4 bytes, some applications executing DNS
lookups will overflow internal buffers, allowing a remote attacker
to execute arbitrary commands on a targeted computer. Forefront TMG
also checks that the value of RDLength does not exceed the size of
the rest of the DNS response.
- DNS zone transfer—A client system uses a DNS
client application to transfer zones from an internal DNS
When offending packets are detected, they are dropped, and an event that triggers a DNS Intrusion alert is generated. You can configure the alerts to notify you that an attack was detected. When the DNS Intrusion event is generated five times during one second for DNS zone transfer, a DNS Zone Transfer Intrusion alert is triggered. By default, after the applicable predefined alerts are triggered, they are not triggered again until they are reset manually.