-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 05:05 PM 11/8/2001 -0700, you wrote: >http://www.ISAserver.org > >*** {01.45.017} Win - MS ISA server fragmented UDP DoS > >An advisory was released indicating that Microsoft ISA server is >vulnerable to a denial of service attack whereby a remote attacker sends >many fragmented UDP packets, which causes abnormally high CPU utilization. > >This vulnerability has not been confirmed. > >Source: VulnWatch ><http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0032.html>http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0032.html >------------------------------------------------------ >You are currently subscribed to this ISAserver.org Discussion List as: >thor@xxxxxxxxxxxxxxx >To unsubscribe send a blank email to $subst('Email.Unsub') I have been playing with this since last week. It is just a UPD frag flood. I compiled the exploit code on my Linux box and ran it against the internal NIC of my ISA Server. Initially, I thought it did indeed nail the CPU at 100%, but like a moron, I did not realize that I had simply flooded my link... Doing logs of CPU utilization and hammering on it for sustained periods of time only slightly raised the CPU utilization on my box, both against the internal card and the external card. I tried in many different configurations, with and without IP fragments filters, and was never really able to do anything. Here is MS's response (the original post can be found in the Bugtraq archives): - -----BEGIN PGP SIGNED MESSAGE----- Hi all, Wanted to take a moment and clarify this issue that's been posted. We investigated the issue when it was initially brought to us at secure@xxxxxxxxxxxxx, but this is strictly a flooding attack. The script simply sends a huge number of fragmented packets to the server, and recombining the packets takes the server some finite amount of work. Send enough of them,quickly enough, and you can monopolize the server. But of course this is true for any server, not just for ISA. The attack requires a very high bandwidth between the attack and the server, and normal processing resumes as soon as the flooding stops. ISA can be configured to drop fragmented packets and, if this is done, it significantly helps protect the system against flooding attacks like this. However, even so, it's not a cure-all. Even inspecting and dropping packets takes some finite amount of work, and once again if the attacker has sufficient bandwidth, he may be able to flood the server. Again, though, there isn't a flaw in ISA server - - - - -- it's strictly a flooding attack. Regards, secure@xxxxxxxxxxxxx - - - - -----Original Message----- Subject: Microsoft ISA Server Fragmented Udp Flood Vulnerability - - - - - ----[ Summary A fragmented Udp attack through the microsoft isa server makes the system hampered by using the cpu at 100%. Meanwhile server uses processor power too much and therefore packet process ratio decreases. - -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBO+be5Y0ZSRQxA/UrAQE0BQf+Ki4QngkkC2KLTys1zsgFp9mPtAx4a85F bfHvf6r5NLYNpyYu7eMVjINF+WD7AnMiR4lH1SxRTAdldLFQQZCrAmIFegCIBgC9 q3Unkics2g3Xvm9ZwnjhDunvjBQzHBBEKuV+24FaJ6Xq+ku6NqI0jOU6O0rHUV8Q 4kXwAVX3efxnkcF+8UMnzYLxMSe39rjfoF0orowiaDtIvQVTvG7MUP+5cO0rTzAE iYiZZgM0atsZG02SK1wtq+PRXz7mMV955bXh3x+av2TCROXua67y9jT7ono7B14H 5I/PEXyGCNkG2PfAPhLwJCbUJpW8sAu6YVQFwkpG9J0pwNMzSpAtlQ== =Lax7-----END PGP SIGNATURE----- hth -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA9AwUBO+sr3IhsmyD15h5gEQKW/gCghXhyJLHqhxK8HwQ1XicPPK9xfL0AjRnN uH3GB8Ew4Xbkj2/g/jyyHQ== =MbZe -----END PGP SIGNATURE-----