RE: DNS qureries cause ISA alerts

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 7 Jan 2003 19:43:42 -0600

Hi Farshad,

The ISA Server maintains a state table for UDP communications. Since UDP
only provides source and destination IP and Port, it doesn't have lot of
information regarding the state of the communication. The ISA Server
therefore sets timeout values in its state table. If the responses come
back after the entry in the state table has expired, the ISA Server
thinks its an attack. A lot of people have the same issue, so unless
your evaluation of the packet filter log shows you have a real problem,
you can safely ignore the alert.

HTH,
Tom
www.isaserver.org/shinder


-----Original Message-----
From: Farshad Farooji [mailto:farshad@xxxxxxxxxxxxxx] 
Sent: Tuesday, January 07, 2003 10:29 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] DNS qureries cause ISA alerts


http://www.ISAserver.org


Hi everyone;

I posted this message yesterday, unfortuantely got no answers. since it
is
getting to be a serious problem for me I am doing it again.
 
I have been receiving ISA alerts as all port scans and so on very
frequently and it is very anoying. now I have found out that these
alerts
are caused by DNS queries thru ISA. my clients are mainly webproxy and
securenat. is there anything wrong with my settings on the ISA?

thanks for the help,
Farshad

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » DNS qureries cause ISA alerts
• » Re: DNS qureries cause ISA alerts
• » RE: DNS qureries cause ISA alerts
• » RE: DNS qureries cause ISA alerts

1. Home
2. isalist
3. Archive
4. 01-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---