This topic is designed to help you plan to protect your Forefront TMG network against common attacks and Domain Name System (DNS) attacks. It describes:

Detection of common attacks

Common attacks include the following:

  • Windows out-of-band (WinNuke) attack—An attacker launches an out-of-band denial-of-service (DoS) attack against a host protected by Forefront TMG. If the attack is successful, it causes the computer to fail or a loss of network connectivity on vulnerable computers.

  • Land attack—An attacker sends a TCP SYN packet with a spoofed source IP address that matches the IP address of the targeted computer, and with a port number that is allowed by the Forefront TMG policy rules, so that the targeted computer tries to establish a TCP session with itself. If the attack is successful, some TCP implementations could go into a loop causing the computer to fail.

  • Ping of death—An attacker attaches a large amount of information, that exceeds the maximum IP packet size, to an Internet Control Message Protocol (ICMP) echo (ping) request. If the attack is successful, a kernel buffer overflows, causing the computer to fail.

  • IP half scan—An attacker repeatedly attempts to connect to a targeted computer, but does not send ACK packets in response to SYN/ACK packets. During a normal TCP connection, the source initiates the connection by sending a SYN packet to a port on the destination system. If a service is listening on that port, the service responds with a SYN/ACK packet. The client that initiates the connection then responds with an ACK packet, and the connection is established. If the destination host is not waiting for a connection on the specified port, it responds with an RST packet. Most system logs do not log completed connections until the final ACK packet is received from the source. Sending other types of packets that do not follow this sequence can elicit useful responses from the target host, without causing a connection to be logged.

  • UDP bomb—An attacker attempts to send a User Datagram Protocol (UDP) datagram, with illegal values in certain fields, which could cause some older operating systems to fail when the datagram is received. By default, no alert is configured for this type of attack.

  • Port scan—An attacker attempts to count the services that are running on a computer by probing each port for a response. You can specify the number of ports that can be scanned before an event is generated.

When Forefront TMG intrusion detection is enabled and offending packets are detected, they are dropped, and an event that triggers an Intrusion Detected alert is generated. By default, the Intrusion Detected alert is reset automatically after one minute, during which time Forefront TMG continues to block offending packets but without issuing an alert. You can configure this alert to send you an e-mail notification when it is triggered. You can also enable logging of the dropped packets.

The name of each type of detected attack corresponds to an additional condition in the definition of the Intrusion Detected event. For each additional condition (type of attack), you can define and enable an alert which specifies the actions to be taken in response to the event, and is issued by the Microsoft Firewall service, when all the conditions specified in the alert are met. The actions that can be triggered by an alert include: sending an e-mail message, invoking a command, writing to a log, and starting or stopping Forefront TMG services.

Detection of DNS attacks

The Forefront TMG Domain Name System (DNS) filter intercepts and analyzes all inbound DNS traffic that is destined for the internal network, and other protected networks. If DNS attack detection is enabled, you can specify that the DNS filter checks for the following types of suspicious activity:

  • DNS host name overflow—When a DNS response for a host name exceeds 255 bytes, applications that do not check host name length may overflow internal buffers when copying this host name, allowing a remote attacker to execute arbitrary commands on a targeted computer.

  • DNS length overflow—When a DNS response for an IP address exceeds 4 bytes, some applications executing DNS lookups will overflow internal buffers, allowing a remote attacker to execute arbitrary commands on a targeted computer. Forefront TMG also checks that the value of RDLength does not exceed the size of the rest of the DNS response.

  • DNS zone transfer—A client system uses a DNS client application to transfer zones from an internal DNS server.

When offending packets are detected, they are dropped, and an event that triggers a DNS Intrusion alert is generated. You can configure the alerts to notify you that an attack was detected. When the DNS Intrusion event is generated five times during one second for DNS zone transfer, a DNS Zone Transfer Intrusion alert is triggered. By default, after the applicable predefined alerts are triggered, they are not triggered again until they are reset manually.

Related Topics