Re: Info from SANS about potential ISA issue
- From: Thor@xxxxxxxxxxxxxxx
- To: isalist@xxxxxxxxxxxxx
- Date: Thu, 08 Nov 2001 17:05:32 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 05:05 PM 11/8/2001 -0700, you wrote:
>http://www.ISAserver.org
>
>*** {01.45.017} Win - MS ISA server fragmented UDP DoS
>
>An advisory was released indicating that Microsoft ISA server is
>vulnerable to a denial of service attack whereby a remote attacker sends
>many fragmented UDP packets, which causes abnormally high CPU utilization.
>
>This vulnerability has not been confirmed.
>
>Source: VulnWatch
><http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0032.html>http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0032.html
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion List as:
>thor@xxxxxxxxxxxxxxx
>To unsubscribe send a blank email to $subst('Email.Unsub')
I have been playing with this since last week. It is just a UPD frag
flood. I compiled the exploit code on my Linux box and ran it against the
internal NIC of my ISA Server. Initially, I thought it did indeed nail the
CPU at 100%, but like a moron, I did not realize that I had simply flooded
my link... Doing logs of CPU utilization and hammering on it for sustained
periods of time only slightly raised the CPU utilization on my box, both
against the internal card and the external card. I tried in many
different configurations, with and without IP fragments filters, and was
never really able to do anything.
Here is MS's response (the original post can be found in the Bugtraq archives):
- -----BEGIN PGP SIGNED MESSAGE-----
Hi all,
Wanted to take a moment and clarify this issue that's been posted.
We investigated the issue when it was initially brought to us at
secure@xxxxxxxxxxxxx, but this is strictly a flooding attack. The
script simply sends a huge number of fragmented packets to the
server, and recombining the packets takes the server some finite
amount of work. Send enough of them,quickly enough, and you can
monopolize the server. But of course this is true for any server,
not just for ISA. The attack requires a very high bandwidth between
the attack and the server, and normal processing resumes as soon as
the flooding stops.
ISA can be configured to drop fragmented packets and, if this is
done, it significantly helps protect the system against flooding
attacks like this. However, even so, it's not a cure-all. Even
inspecting and dropping packets takes some finite amount of work, and
once again if the attacker has sufficient bandwidth, he may be able
to flood the server. Again, though, there isn't a flaw in ISA server
- - - - -- it's strictly a flooding attack.
Regards,
secure@xxxxxxxxxxxxx
- - - - -----Original Message-----
Subject: Microsoft ISA Server Fragmented Udp Flood Vulnerability
- - - - - ----[ Summary
A fragmented Udp attack through the microsoft isa server makes the
system hampered by using the cpu at 100%. Meanwhile server uses
processor power too much and therefore packet process ratio
decreases.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBO+be5Y0ZSRQxA/UrAQE0BQf+Ki4QngkkC2KLTys1zsgFp9mPtAx4a85F
bfHvf6r5NLYNpyYu7eMVjINF+WD7AnMiR4lH1SxRTAdldLFQQZCrAmIFegCIBgC9
q3Unkics2g3Xvm9ZwnjhDunvjBQzHBBEKuV+24FaJ6Xq+ku6NqI0jOU6O0rHUV8Q
4kXwAVX3efxnkcF+8UMnzYLxMSe39rjfoF0orowiaDtIvQVTvG7MUP+5cO0rTzAE
iYiZZgM0atsZG02SK1wtq+PRXz7mMV955bXh3x+av2TCROXua67y9jT7ono7B14H
5I/PEXyGCNkG2PfAPhLwJCbUJpW8sAu6YVQFwkpG9J0pwNMzSpAtlQ==
=Lax7-----END PGP SIGNATURE-----
hth
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA9AwUBO+sr3IhsmyD15h5gEQKW/gCghXhyJLHqhxK8HwQ1XicPPK9xfL0AjRnN
uH3GB8Ew4Xbkj2/g/jyyHQ==
=MbZe
-----END PGP SIGNATURE-----
Other related posts:
