IP Filtering and Intrusion Detection/Intrusion Prevention - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Back Cover Dr. Tom Shinder's Configuring ISA Server 2004 Introduction Acknowledgments About the Authors Technical Editor A Note From the Publisher From Deb and Tom Shinder, Authors Chapter 1: Evolution of a Firewall: From Proxy 1.0 to ISA 2004 The Book: What it Covers and Who It's For It's in the Book: What We Cover This Book's For You: Our Target Audience Security: The New Star of the Show Security: What's Microsoft Got to Do with It? Security: A Policy-Based Approach Security: A Multilayered Approach Firewalls: The Guardians at the Gateway Firewalls: History and Philosophy Firewalls: Understanding the Architecture Firewalls: Features and Functionality Firewalls: Role and Placement on the Network ISA: From Proxy Server to Full-Featured Firewall ISA: A Glint in MS Proxy Server's Eye ISA: A Personal Philosophy Summary Chapter 2: Examining the ISA Server 2004 Feature Set The New GUI: More Than Just a Pretty Interface Examining the Graphical Interface Examining The Management Nodes Teaching Old Features New Tricks Enhanced and Improved Remote Management Enhanced and Improved Firewall Features Enhanced and Improved Virtual Private Networking and Remote Access Enhanced and Improved Web Cache and Web Proxy Enhanced and Improved Monitoring and Reporting Multi-Networking Support New Application Layer Filtering (ALF) Features VPN Quarantine Control Missing in Action: Gone but Not Forgotten Live Media Stream Splitting H.323 Gateway Bandwidth Control Active Caching Summary Solutions Fast Track New GUI: More Than Just a Pretty Face Teaching Old Features New Tricks New Features on the Block Missing in Action: Gone But Not Forgotten Frequently Asked Questions Chapter 3: Stalking the Competition: How ISA 2004 Stacks Up Firewall Comparative Issues The Cost of Firewall Operations Specifications and Features Comparing ISA 2004 to Other Firewall Products ISA Server 2004 Comparative Points Comparing ISA 2004 to Check Point Comparing ISA 2004 to Cisco PIX Comparing ISA 2004 to NetScreen Comparing ISA 2004 to SonicWall Comparing ISA 2004 to WatchGuard Comparing ISA 2004 to Symantec Enterprise Firewall Comparing ISA 2004 to Blue Coat SG Comparing ISA 2004 to Open Source Firewalls Summary Comparing Architecture Comparing Functionality Comparing Cost Solutions Fast Track Firewall Comparative Issues Comparing ISA 2004 to Other Firewall Products Frequently Asked Questions Chapter 4: ISA 2004 Network Concepts and Preparing the Network Infrastructure Our Approach to ISA Firewall Network Design and Defense Tactics Defense in Depth ISA Firewall Fallacies Software Firewalls are Inherently Weak You Can't Trust Any Service Running on the Windows Operating System to be Secure ISA Firewalls Make Good Proxy Servers, but I Need a 'Real Firewall' to Protect My Network ISA Firewalls Run on an Intel Hardware Platform, and Firewalls Should Have 'No Moving Parts' 'I Have a Firewall and an ISA Server' Why ISA Belongs in Front of Critical Assets A Better Network and Firewall Topology Tom and Deb Shinder's Configuring ISA 2004 Network Layout Creating the ISALOCAL Virtual Machine How ISA Firewall’s Define Networks and Network Relationships ISA 2004 Multinetworking The ISA Firewall’s Default Networks Creating New Networks Controlling Routing Behavior with Network Rules The ISA 2004 Network Objects ISA Firewall Network Templates Dynamic Address Assignment on the ISA Firewall’s External Interface Dial-up Connection Support for ISA firewalls, Including VPN Connections to the ISP “Network Behind a Network” Scenarios (Advanced ISA Firewall Configuration) Web Proxy Chaining as a Form of Network Routing Firewall Chaining as a Form of Network Routing Configuring the ISA Firewall as a DHCP Server Summary Solutions Fast Track Our Approach to the ISA Firewall Network Design and Defense Tactics Tom and Deb Shinder's Configuring ISA 2004 Network Layout How ISA Firewalls Define Networks and Network Relationships Frequently Asked Questions Chapter 5: ISA 2004 Client Types and Automating Client Provisioning Understanding ISA 2004 Client Types Understanding theISA 2004 SecureNAT Client Name Resolution for SecureNAT Clients Name Resolution and 'Looping Back' Through the ISA 2004 Firewall Understanding the ISA 2004 Firewall Client ISA 2004 Web Proxy Client ISA 2004 Multiple Client Type Configuration Deciding on an ISA 2004 Client Type Automating ISA 2004 Client Provisioning Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery Special Considerations for VPN Clients Automating Installation of the Firewall Client Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console Group Policy Software Installation Silent Installation Script Systems Management Server (SMS) Summary Solutions Fast Track Understanding the ISA 2004 SecureNAT Client Understanding the ISA 2004 Web Proxy Client Understanding the ISA 2004 Firewall Client Frequently Asked Questions Chapter 6: Installing and Configuring the ISA Firewall Software Pre-installation Tasks and Considerations System Requirements Configuring the Routing Table DNS Server Placement Configuring the ISA Firewall's Network Interfaces Unattended Installation Installation via a Terminal Services Administration Mode Session Performing a Clean Installation on a Multihomed Machine Default Post-installation ISA Firewall Configuration The Post-installation System Policy Performing an Upgrade Installation Performing a Single NIC Installation (Unihomed ISA Firewall) Quick Start Configuration for ISA Firewalls Configuring the ISA Firewall's Network Interfaces Installing and Configuring a DNS Server on the ISA Server Firewall Installing and Configuring a DHCP Server on the ISA Server Firewall Installing and Configuring the ISA Server 2004 Software Configuring the Internal Network Computers Hardening the Base ISA Firewall Configuration and Operating System ISA Firewall Service Dependencies Service Requirements for Common Tasks Performed on the ISA Firewall Client Roles for the ISA Firewall Lockdown Mode Connection Limits DHCP Spoof Attack Prevention Summary Solutions Fast Track Pre-installation considerations Performing a clean installation Default Post-install System Policy and Firewall Configuration Frequently Asked Questions Chapter 7: Creating and Using ISA 2004 Firewall Access Policy Introduction ISA Firewall Access Rule Elements Protocols User Sets Content Types Schedules Network Objects The Rule Action Page The Protocols Page The Access Rule Sources Page The Access Rule Destinations Page The User Sets Page Access Rule Properties The Access Rule Context Menu Options Configuring RPC Policy Configuring FTP Policy Configuring HTTP Policy Ordering and Organizing Access Rules How to Block Logging for Selected Protocols Disabling Automatic Web Proxy Connections for SecureNAT Clients Using Scripts to Populate Domain Name Sets Using the Import Scripts Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports Avoiding Looping Back through the ISA Firewall for Internal Resources Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) Blocking MSN Messenger using an Access Rule Allowing Outbound Access to MSN Messenger via Web Proxy Changes to ISA Firewall Policy Only Affects New Connections Configure the Routing Table on the Upstream Router Configure the Network Adaptors Install the ISA Server 2004 Firewall Software Install and Configure the IIS WWW and SMTP Services on the DMZ Server Create the DMZ Network Create the Network Rules Between the DMZ and External Network and for the DMZ and Internal Network Create Server Publishing Rule Allowing DNS from DMZ to Internal Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allow HTTP from External to DMZ Create an Access Rule Allowing SMTP from External to DMZ Test the Access Rules from External to DMZ Test the DNS Rule from the DMZ to the Internal Network Change the Access Rule Allowing External to DMZ by Disabling the Web Proxy Filter Allowing Intradomain Communications through the ISA Firewall Solutions Fast Track Configuring Access Rules for Outbound Access through the ISA Firewall Using Scripts to Populate Domain Name Sets Creating and Configuring a Public Address Trihomed DMZ Network Frequently Asked Questions Chapter 8: Publishing Network Services with ISA 2004 Firewalls Overview of Web Publishing and Server Publishing Web Publishing Rules Server Publishing Rules The Select Rule Action Page The Define Website to Publish Page The Public Name Details Page The Select Web Listener Page and Creating an HTTP Web Listener The User Sets Page The Web Publishing Rule Properties Dialog Box Creating and Configuring SSL Web Publishing Rules SSL Bridging Importing Web Site Certificates into The ISA Firewall's Machine Certificate Store Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites Creating an SSL Web Publishing Rule Creating Server Publishing Rules The Server Publishing Rule Properties Dialog Box Server Publishing HTTP Sites Creating Mail Server Publishing Rules The Web Client Access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync Option The Client Access: RPC, IMAP, POP3, SMTP Option Summary Solutions Fast Track Overview of Web Publishing and Server Publishing Creating and Configuring Non-SSL Web Publishing Rules Creating and Configuring SSL Web Publishing Rules Frequently Asked Questions Chapter 9: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls Overview of ISA Firewall VPN Networking Firewall Policy Applied to VPN Client Connections Firewall Policy Applied to VPN Site-to-Site Connections VPN Quarantine User Mapping of VPN Clients SecureNAT Client Support for VPN Connections Site-to-Site VPN Using Tunnel Mode IPSec Publishing PPTP VPN Servers Pre-shared Key Support for IPSec VPN Connections Advanced Name Server Assignment for VPN Clients Monitoring of VPN Client Connections Creating a Remote Access PPTP VPN Server Enable the VPN Server Create an Access Rule Allowing VPN Clients Access to Allowed Resources Enable Dial-in Access Test the PPTP VPN Connection Issue Certificates to the ISA Firewall and VPN Clients Test the L2TP/IPSec VPN Connection Monitor VPN Clients Using a Pre-shared Key for VPN Client Remote Access Connections Creating a PPTP Site-to-Site VPN Create the Remote Site Network at the Main Office Create the Network Rule at the Main Office Create the Access Rules at the Main Office Create the VPN Gateway Dial-in Account at the Main Office Create the Remote Site Network at the Branch Office Create the Network Rule at the Branch Office Create the Access Rules at the Branch Office Create the VPN Gateway Dial-in Account at the Branch Office Activate the Site-to-Site Links Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA Request and install a Web Site Certificate for the Main Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA Request and Install a Web Site Certificate for the Branch Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Activate the L2TP/IPSec Site-to-Site VPN Connection Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways Using RADIUS for VPN Authentication and Remote Access Policy Configure the Internet Authentication Services (RADIUS) Server Create a VPN Clients Remote Access Policy Remote Access Permissions and Domain Functional Level Changing the User Account Dial-in Permissions Changing the Domain Functional Level Controlling Remote Access Permission via Remote Access Policy Enable the VPN Server on the ISA Firewall and Configure RADIUS Support Create an Access Rule Allowing VPN Clients Access to Approved Resources Make the Connection from a PPTP VPN Client Using EAP User Certificate Authentication for Remote Access VPNs Configuring the ISA Firewall Software to Support EAP Authentication Enabling User Mapping for EAP Authenticated Users Issuing a User Certificate to the Remote Access VPN Client Machine Supporting Outbound VPN Connections through the ISA Firewall Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall Creating a Site-to-Site VPN Between an ISA Server 2000 and ISA Firewall Run the Local VPN Wizard on the ISA Server 2000 firewall Change the Password for the Remote VPN User Account Change the Credentials the ISA Server 2000 Firewall uses for the Demand-dial Connection to the Main Office Change the ISA Server 2000 VPN Gateway's Demand-dial Interface Idle Properties Create a Static Address Pool for VPN Clients and Gateways Run the Remote Site Wizard on the Main Office ISA firewall Create a Network Rule that Defines the Route Relationship Between the Main and Branch Office Create Access Rules Allowing Traffic from the Main Office to the Branch Office Create the User Account for the Remote VPN Router Test the connection A Note on VPN Quarantine Summary Solutions Fast Track Overview of ISA Firewall VPN Networking Creating a Remote Access PPTP VPN Server Creating a Remote Access L2TP/IPSec Server Frequently Asked Questions Chapter 10: ISA 2004 Stateful Inspection and Application Layer Filtering Introduction Application Filters The SMTP Filter and Message Screener The DNS Filter The POP Intrusion Detection Filter The SOCKS V4 Filter The FTP Access Filter The H.323 Filter The MMS Filter The PNM Filter The PPTP Filter The RPC Filter The RTSP Filter Web Filters The HTTP Security Filter (HTTP Filter) The ISA Server Link Translator The Web Proxy Filter The SecurID Filter The OWA Forms-based Authentication Filter The RADIUS Authentication Filter IP Filtering and Intrusion Detection/Intrusion Prevention Common Attacks Detection and Prevention DNS Attacks Detection and Prevention IP Options and IP Fragment Filtering Summary Solutions Fast Track Application Layer Filters Web Filters Intrusion Detection and Prevention Frequently Asked Questions Chapter 11: Accelerating Web Performance with ISA 2004 Caching Capabilities Understanding Caching Concepts Web Caching Types Web Caching Architectures Web Caching Protocols Understanding ISA Server 2004's Web Caching Capabilities Using the Caching Feature Understanding Cache Rules Understanding the Content Download Feature Configuring ISA Server 2004 as a Caching Server Enabling and Configuring Caching How to Configure Caching Properties Creating Cache Rules Configuring Content Downloads Summary Fast Track Frequently Asked Questions Chapter 12: Using ISA Server 2004's Monitoring, Logging, and Reporting Tools Introduction Exploring the ISA Server 2004 Dashboard Dashboard Sections Configuring and Customizing the Dashboard Creating and Configuring ISA Server 2004 Alerts Alert-triggering Events Viewing the Predefined Alerts Creating a New Alert Modifying Alerts Viewing Triggered Alerts Monitoring ISA Server 2004 Connectivity, Sessions, and Services Configuring and Monitoring Connectivity Monitoring Sessions Monitoring Services Working with ISA Server 2004 Logs and Reports Understanding ISA Server 2004 Logs Generating, Viewing, and Publishing Reports with ISA Server 2004 Using ISA Server 2004's Performance Monitor Solutions Fast Track Exploring the ISA Server 2004 Dashboard Creating and Configuring ISA Server 2004 Alerts Monitoring ISA Server 2004 Sessions and Services Working with ISA Server 2004 Logs and Reports 1Using ISA Server 2004's Performance Monitor Frequently Asked Questions Appendix: Network Security Basics Introduction Security Overview Defining Basic Security Concepts Knowledge is Power Think Like a Thief Security Terminology Addressing Security Objectives Controlling Physical Access Preventing Accidental Compromise of Data Preventing Intentional Internal Security Breaches Preventing Unauthorized External Intrusions Recognizing Network Security Threats Understanding Intruder Motivations Classifying Specific Types of Attacks Designing a Comprehensive Security Plan Evaluating Security Needs Understanding Security Ratings Legal Considerations Designating Responsibility for Network Security Designing the Corporate Security Policy Educating Network Users on Security Issues Incorporating ISA Server in your Security Plan ISA Server Intrusion Detection Implementing a System Hardening Plan with ISA Summary Index Numbers Index A Index B Index C Index D Index E Index F Index G Index H Index I Index J Index K Index L Index M Index N Index O Index P Index Q Index R Index S Index T Index U Index V Index W Index Z List of Figures List of Tables List of Sidebars

توضیحات
افزودن یادداشت جدید












IP Filtering and Intrusion Detection/Intrusion Prevention


The ISA firewall performs intrusion detection and intrusion prevention. In this section, we discuss the following intrusion detection and intrusion prevention features:





Common Attacks Detection and Prevention





DNS Attacks Detection and Prevention





IP Options and IP Fragment Filtering





Common Attacks Detection and Prevention



You can access the Intrusion Detection dialog box by opening the Microsoft Internet Security and Acceleration Server 2004 management console, expanding the server name, and then expanding the Configuration node. Click the General node.


In the General node, click the Enable Intrusion Detection and DNS Attack Detection link. This brings up the Common Attacks tab.


On the Common Attacks tab, put a checkmark in the Enable intrusion detection checkbox. Put a checkmark to the left of each of the attacks you want to prevent. If you enable the Port scan attack, enter values for the Detect after attacks … well-known ports and Detect after attacks on … ports. (See Figure 10.41.)





Figure 10.41: The Common Attacks Tab


You can disable logging for packets dropped by the Intrusion Detection filter by removing the checkmark from the Log dropped packets checkbox.



Denial-of-Service Attacks



Denial-of-service (DoS) attacks are one of the most popular choices of Internet hackers who want to disrupt a network's operations. Although they do not destroy or steal data as some other types of attacks do, the objective of the DoS attacker is to bring down the network, denying service to its legitimate users. DoS attacks are easy to initiate; software is readily available from hacker Web sites and warez newsgroups that will allow anyone to launch a DoS attack with little or no technical expertise.







Note


Warez is a term used by hackers and crackers to describe bootlegged software that has been 'cracked' to remove copy protections and made available by software pirates on the Internet, or in its broader definition, to describe any illegally distributed software.




In February 2000, massive DoS attacks brought down several of the biggest Web sites, including Yahoo.com and Buy.com.


The purpose of a DoS attack is to render a network inaccessible by generating a type or amount of network traffic that will crash the servers, overwhelm the routers, or otherwise prevent the network's devices from functioning properly. Denial of service can be accomplished by tying up the server's resources; for example, by overwhelming the CPU and memory resources. In other cases, a particular user/machine can be the target of DoS attacks that hang up the client machine and require it to be rebooted.







Note


DoS attacks are sometimes referred to in the security community as 'nuke attacks.'





Distributed Denial-of-Service Attack


Distributed DoS attacks use intermediary computers, called agents, on which programs called zombies have previously been surreptitiously installed. The hacker activates these zombie programs remotely, causing the intermediary computers (which can number in the hundreds or even thousands) to simultaneously launch the actual attack. Because the attack comes from the computers running the zombie programs, which may be on networks anywhere in the world, the hacker is able to conceal the true origin of the attack.


Examples of DDoS tools used by hackers are TFN (Tribe FloodNet), TFN2K, Trinoo, and Stacheldraht (German for 'barbed wire'). While early versions of DDoS tools targeted UNIX and Solaris systems, TFN2K can run on both UNIX and Windows systems.


Because DDoS attacks are so popular, many tools have been developed to help you detect, eliminate, and analyze DDoS software that may be installed on your network. The National Infrastructure Protection Center has recently announced one such tool to detect some types of DDoS programs on some systems. For more information, see www.fbi.gov/nipc/trinoo.







Note


An excellent article that provides details on how TFN, TFN2K, Trinoo, and Stacheldraht work is available on the NetworkMagazine.com Web site, titled Distributed Denial of Service Attacks, at www.networkmagazine.com/article/NMG20000512S0041.




It is important to note that DDoS attacks pose a two-layer threat. Your network could be the target of a DoS attack that crashes your servers and prevents incoming and outgoing traffic, and your computers could be used as the 'innocent middlemen' to launch a DoS attack against another network or site.



SYN Attack/LAND Attack


SYN attacks exploit the TCP 'three-way handshake,' the process by which a communications session is established between two computers. Because TCP (unlike UDP) is connection-oriented, a session, or direct one-to-one communication link, must be created prior to sending data. The client computer initiates the communication with the server (the computer whose resources it wants to access).


The 'handshake' includes the following steps:





The client machine sends a SYN (synchronization request) segment.





The server sends an ACK message and a SYN, which acknowledges the client machine's request that was sent in step 1, and sends the client a synchronization request of its own. The client and server machines must synchronize each other's sequence numbers.





The client sends an ACK back to the server, acknowledging the server's request for synchronization. When both machines have acknowledged each other's requests, the handshake has been successfully completed and a connection is established between the two computers.





Figure 10.42 illustrates how the process works.





Figure 10.42: TCP Uses a 'Three-Way Handshake' to Establish a Connection between Client and Server


This is how the process normally works. A SYN attack uses this process to flood the system targeted as the victim of the attack with multiple SYN packets that have bad source IP addresses, which causes the system to respond with SYN/ACK messages. The problem comes in when the system, waiting for the ACK message from the client that normally comes in response to its SYN/ACK, puts the waiting SYN/ACK messages into a queue. This is a problem because the queue is limited in the number of messages it can handle. When it is full, all subsequent incoming SYN packets will be ignored. For a SYN/ACK to be removed from the queue, an ACK must be returned from the client, or the interval timer must run out and terminate the three-way handshake process.


Because the source IP addresses for the SYN packets sent by the attacker are no good, the ACKs that the server is waiting for never come. The queue stays full, and there is no room for valid SYN requests to be processed. Thus, service is denied to legitimate clients attempting to establish communications with the server.


The LAND attack is a variation on the SYN attack. In the LAND attack, instead of sending SYN packets with IP addresses that do not exist, the flood of SYN packets all have the same spoof IP address-that of the targeted computer.


The LAND attack can be prevented by filtering out incoming packets whose source IP addresses appear to be from computers on the internal network. ISA Server has preset intrusion detection functionality that allows you to detect attempted LAND attacks, and you can configure Alerts to notify you when such an attack is detected.



Ping of Death


Another type of DoS attack that ISA Server can be set to specifically detect is the so-called 'Ping of Death' (also known as the 'large packet ping'). The Ping of Death attack is launched by creating an IP packet larger than 65,536 bytes, which is the maximum allowed by the IP specification (this is sometimes referred to as a 'killer packet'). This can cause the target system to crash, hang, or reboot.


ISA allows you to specifically enable detection of Ping of Death attacks.



Teardrop


The Teardrop attack works a little differently from the Ping of Death, but with similar results. The Teardrop program creates IP fragments, which are pieces of an IP packet into which an original packet can be divided as it travels through the Internet. The problem is that the offset fields on these fragments, which are supposed to indicate the portion (in bytes) of the original packet that is contained in the fragment, overlap.


For example, normally two fragments' offset fields might appear as:


Fragment 1:  (offset) 100 - 300
Fragment 2:  (offset) 301 - 600


This indicates that the first fragment contains bytes 100 through 300 of the original packet, and the second fragment contains bytes 301 through 600.


Overlapping offset fields would appear something like this:


Fragment 1: (offset) 100 - 300
Fragment 2: (offset) 200 - 400


When the destination computer tries to reassemble these packets, it is unable to do so and may crash, hang, or reboot.


Variations include:





NewTear





Teardrop2





SynDrop





Boink





All of these programs generate some sort of fragment overlap.



Ping Flood (ICMP Flood)


The ping flood or ICMP flood is a means of tying up a specific client machine. It is caused by an attacker sending a large number of ping packets (ICMP echo request packets) to the Winsock or dialer software. This prevents it from responding to server ping activity requests, which causes the server to eventually time out the connection. A symptom of a ping flood is a huge amount of modem activity, as indicated by the modem lights. This is also referred to as a ping storm.


The fraggle attack is related to the ping storm. Using a spoofed IP address (which is the address of the targeted victim), an attacker sends ping packets to a subnet, causing all computers on the subnet to respond to the spoofed address and flood it with echo reply messages.







Note


During the Kosovo crisis, the fraggle attack was frequently used by pro-Serbian hackers against U.S. and NATO sites to overload them and bring them down.




You can use programs such as NetXray or other IP tracing software to record and display a log of the flood packets. Firewalls can be configured to block ping packets, to prevent these attacks.



SMURF Attack


The Smurf attack is a form of 'brute force' attack that uses the same method as the ping flood, but directs the flood of ICMP echo request packets at the network's router. The destination address of the ping packets is the broadcast address of the network, which causes the router to broadcast the packet to every computer on the network or segment. This can result in a very large amount of network traffic if there are many host computers, which can create congestion that causes a denial of service to legitimate users.







Note


The broadcast address is normally represented by all 1s in the host ID. This means, for example, that on class C network 192.168.1.0, the broadcast address would be 192.168.1.255 (255 in decimal represents 11111111 in binary), and in a class C network, the last or z octet represents the host ID. A message sent to the broadcast address is sent simultaneously to all hosts on the network.




In its most insidious form, the Smurf attacker spoofs the source IP address of ping packets. Then, both the network to which the packets are sent and the network of the spoofed source IP address will be overwhelmed with traffic. The network to which the spoofed source address belongs will be deluged with responses to the ping when all the hosts to which the ping was sent answer the echo request with an echo reply.


Smurf attacks can generally do more damage than some other forms of DoS, such as SYN floods. The SYN flood affects only the capability of other computers to establish a TCP connection to the flooded server, but a Smurf attack can bring an entire ISP down for minutes or hours. This is because a single attacker can easily send 40 to 50 ping packets per second, even using a slow modem connection. Because each is broadcast to every computer on the destination network, the number of responses per second is 40 to 50 times the number of computers on the network-which could be hundreds or thousands. This is enough data to congest even a T-1 link.


One way to prevent a Smurf attack from using your network as the broadcast target is to turn off the capability to transmit broadcast traffic on the router. Most routers allow you to do this. To prevent your network from being the victim of the spoofed IP address, you will need to configure your firewall to filter out incoming ping packets.



UDP Bomb or UDP Flood


An attacker can use the User Datagram Protocol (UDP) and one of several services that echo packets upon receipt to create service-denying network congestion by generating a flood of UDP packets between two target systems. For example, the UDP chargen service on the first computer, which is a testing tool that generates a series of characters for every packet that it receives, sends packets to another system's UDP echo service, which echoes every character it receives. By exploiting these testing tools, an endless flow of echoes goes back and forth between the two systems, congesting the network. This is sometimes called a UDP packet storm.


In addition to port 7, the echo port, an attacker can use port 17, the quote of the day service (quotd) or the daytime service on port 13. These services will also echo packets they receive. UDP chargen is on port 19.


Disabling unnecessary UDP services on each computer (especially those mentioned previously) or using a firewall to filter those ports/services will protect you from this type of attack.



UDP Snork Attack


The Snork attack is similar to the UDP bomb. It uses a UDP frame that has a source port of either 7 (echo) or 9 (chargen), with a destination port of 135 (Microsoft location service). The result is the same as the UDP bomb-a flood of unnecessary transmissions that can slow performance or crash the systems that are involved.



WinNuke (Windows Out-of-Band Attack)


The out-of-band (OOB) attack, sometimes called the Windows OOB bug, exploits a vulnerability in Microsoft networks,. The WinNuke program (and variations such as Sinnerz and Muerte) creates an out-of-band data transmission that crashes the machine to which it is sent. It works like this: A TCP/IP connection is established with the target IP address, using port 139 (the NetBIOS port). Then, the program sends data using a flag called MSG_OOB (or Urgent) in the packet header. This flag instructs the computer's Winsock to send data called out-of-band data. Upon receipt, the targeted Windows server expects a pointer to the position in the packet where the Urgent data ends, with normal data following. However, the OOB pointer in the packet created by WinNuke points to the end of the frame with no data following.


The Windows machine does not know how to handle this situation and will cease communicating on the network, and service will be denied to any users who subsequently attempt to communicate with it. A WinNuke attack usually requires a reboot of the affected system to reestablish network communications.


Windows 95 and NT 3.51 and 4.0 are vulnerable to the WinNuke exploit, unless the fixes provided by Microsoft have been installed. Windows 98/ME and Windows 2000/2003 are not vulnerable to WinNuke, but ISA Server allows you to enable detection of attempted OOB attacks.



Mail Bomb Attack


A mail bomb is a means of overwhelming a mail server, causing it to stop functioning and thus denying service to users. It is a relatively simple form of attack, accomplished by sending a massive quantity of e-mail to a specific user or system. There are programs available on hacking sites on the Internet that allow a user to easily launch a mail bomb attack, automatically sending floods of e-mail to a specified address while protecting the attacker's identity.


A variation on the mail bomb program automatically subscribes a targeted user to hundreds or thousands of high-volume Internet mailing lists, which will fill the user's mailbox and/or the mail server. Bombers call this list linking. Examples of these mail bomb programs include Unabomber, extreme Mail, Avalanche, and Kaboom.


The solution to repeated mail bomb attacks is to block traffic from the originating network using packet filters. Unfortunately, this does not work with list linking because the originator's address is obscured; the deluge of traffic comes from the mailing lists to which the victim has subscribed.



Scanning and Spoofing



The term scanner, in the context of network security, refers to a software program that is used by hackers to remotely determine what TCP/UDP ports are open on a given system, and thus vulnerable to attack. Scanners are also used by administrators to detect vulnerabilities in their own systems in order to correct them before an intruder finds them. Network diagnostic tools such as the famous Security Administrator's Tool for Analyzing Networks (SATAN), a UNIX utility, include sophisticated port scanning capabilities.


A good scanning program can locate a target computer on the Internet (one that is vulnerable to attack), determine what TCP/IP services are running on the machine, and probe those services for security weaknesses.







Note


A common saying among hackers is: 'A good port scanner is worth a thousand passwords.'




Many scanning programs are available as freeware on the Internet. An excellent resource for information about the history of scanning, how scanners work, and some popular scanning programs can be found at www.ladysharrow.ndirect.co.uk/Maximum%20Security/scanners.



Port Scan


Port scanning refers to a means of locating 'listening' TCP or UDP ports on a computer or router, and obtaining as much information as possible about the device from the listening ports. TCP and UDP services and applications use a number of well-known ports, which are widely published. The hacker uses his knowledge of these commonly used ports to extrapolate information.


For example, Telnet normally uses port 23. If the hacker finds that port open and listening, he knows that Telnet is probably enabled on the machine. He can then try to infiltrate the system; for example, by guessing the appropriate password in a brute-force attack.


DNS Attacks Detection and Prevention



The ISA firewall's DNS filter protects DNS servers published by the ISA firewall using Server Publishing Rules. You can access the configuration interface for the DNS filter's attack prevention configuration page in the Intrusion Detection dialog box. Expand the server name and then expand the Configuration node. Click the General node.


In the Details Pane, click the Enable Intrusion Detection and DNS Attack Detection link. In the Intrusion Detection dialog box, click the DNS Attacks tab. On the DNS Attacks tab, put a checkmark in the Enable detection and filtering of DNS attacks checkbox. (See Figure 10.43.)





Figure 10.43: The DNS Attacks Tab


Once detection is enabled, you can enable prevention, and protect yourself from three attacks:





DNS host name overflow





DNS length overflow





DNS zone transfer





The DNS host name overflow and DNS length overflow attacks are DNS DoS type attacks. The DNS DoS attack exploits the difference in size between a DNS query and a DNS response, in which all of the network's bandwidth is tied up by bogus DNS queries. The attacker uses the DNS servers as 'amplifiers' to multiply the DNS traffic.


The attacker begins by sending small DNS queries to each DNS server that contain the spoofed IP address (see IP Spoofing) of the intended victim. The responses returned to the small queries are much larger, so that if there are a large number of responses returned at the same time, the link will become congested and denial of service will take place.


One solution to this problem is for administrators to configure DNS servers to respond with a 'refused' response, which is much smaller than a name resolution response, when they receive DNS queries from suspicious or unexpected sources.


Detailed information for configuring DNS servers to prevent this problem is contained in the U.S. Department of Energy's Computer Incident Advisory Capability information bulletin J-063, available at http://www.ciac.org/ciac/bulletins/j-063.shtml.


IP Options and IP Fragment Filtering



You can configure what IP Options are allowed through the ISA firewall and whether IP Fragments are allowed through. Figures 10.44 and 10.45 show the configuration interfaces for IP Options filtering and IP Fragment filtering. Figure 10.46 shows a dialog box warning that enabling Fragment filtering may interfere with L2TP/IPSec and streaming media services.





Figure 10.44: The IP Options Tab





Figure 10.45: The IP Fragments Tab





Figure 10.46: The IP Fragment Filter Warning Dialog Box


For more information on fragment filtering, see the discussion on common network layer attacks earlier in this chapter.



Source Routing Attack



TCP/IP supports source routing, which is a means to permit the sender of network data to route the packets through a specific point on the network. There are two types of source routing:





Strict source routing The sender of the data can specify the exact route (rarely used).





Loose source record route (LSRR) The sender can specify certain routers (hops) through which the packet must pass.





The source route is an option in the IP header that allows the sender to override routing decisions that are normally made by the routers between the source and destination machines. Source routing is used by network administrators to map the network, or for troubleshooting routing and communications problems. It can also be used to force traffic through a route that will provide the best performance. Unfortunately, source routing can be exploited by hackers.


If the system allows source routing, an intruder can use it to reach private internal addresses on the LAN that normally would not be reachable from the Internet, by routing the traffic through another machine that is reachable from both the Internet and the internal machine.


Source routing can be disabled on most routers to prevent this type of attack. The ISA firewall also blocks source routing by default.


/ 145