Re: problem out of no where, see my links to my logs...

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 2 Aug 2002 08:08:32 -0700

Grab isainfo.vbs from http://jalojash.org/isatools, run it on your ISA and send 
the results back.

Your logs seem to indicate that someone is trying to attack your DNS server:
2002-08-01 21:09:22 206.141.195.13 192.168.1.2 Udp 53 1200 BLOCKED 192.168.1.2
2002-08-01 21:09:22 206.141.192.60 192.168.1.2 Udp 53 1400 BLOCKED 192.168.1.2
2002-08-01 21:09:26 206.141.195.13 192.168.1.2 Udp 53 1200 BLOCKED 192.168.1.2
2002-08-01 21:09:26 206.141.192.60 192.168.1.2 Udp 53 1400 BLOCKED 192.168.1.2
This is typical of DNS cache poisoning attacks. 

These entries seem to indicate that you're running DHCP on the ISA as well:
2002-08-01 21:09:29 192.168.1.2 255.255.255.255 Udp 68 67 BLOCKED 192.168.1.2
2002-08-01 21:09:29 192.168.1.2 255.255.255.255 Udp 68 67 BLOCKED 192.168.1.2
2002-08-01 21:09:29 172.16.7.1 255.255.255.255 Udp 67 68 BLOCKED 192.168.1.2
2002-08-01 21:09:29 172.16.7.1 255.255.255.255 Udp 67 68 BLOCKED 192.168.1.2
There's a registry fix to stop most of these requests, if you're interested.

These are your router trying to make DNS queries to the ISA; how is it 
configured?
2002-08-01 21:24:05 192.168.1.1 192.168.1.2 Udp 4918 53 BLOCKED 192.168.1.2
2002-08-01 21:24:06 192.168.1.1 192.168.1.2 Udp 4918 53 BLOCKED 192.168.1.2

These entries from the FW log seem to show successful DNS queries (hard to tell 
from logs, since UDP is connectionless):
172.16.7.2 - - N 2002-08-01 20:23:57 fwsrv CDISBS01 - - - - - - - 0 UDP Bind - 
- - 0 - internal network ip access - 2 30
172.16.7.2 - - N 2002-08-01 20:23:57 fwsrv CDISBS01 - - 65.24.0.164 53 - - - 53 
UDP UdpMap - - - 0 - internal network ip access - 2 30
172.16.7.2 - - N 2002-08-01 20:23:58 fwsrv CDISBS01 - - - - - - - 0 UDP Bind - 
- - 0 - internal network ip access - 2 31
172.16.7.2 - - N 2002-08-01 20:23:58 fwsrv CDISBS01 - - 65.24.0.164 53 - - - 53 
UDP UdpMap - - - 0 - internal network ip access - 2 31
172.16.7.2 - - N 2002-08-01 20:23:58 fwsrv CDISBS01 - - - - - - - 0 UDP Bind - 
- - 0 - internal network ip access - 2 32
172.16.7.2 - - N 2002-08-01 20:23:58 fwsrv CDISBS01 - - 192.175.48.1 53 - - - 
53 UDP UdpMap - - - 0 - internal network ip access - 2 32

This is an entry in your FW log that bothers me; are you trying to publish SQL?
172.16.7.2 - - N 2002-08-01 19:09:58 fwsrv CDISBS01 - - - 1494 - - - 1494 TCP 
Bind - - - 0 - - - 2 1


Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!

  ----- Original Message ----- 
  From: Smpclient@xxxxxxx 
  To: [ISAserver.org Discussion List] 
  Sent: Thursday, August 01, 2002 7:51 PM
  Subject: [isalist] Re: problem out of no where, see my links to my logs...


  http://www.ISAserver.org

  network is a little weird, but its been working... it's like this...

  Ameritech DSL Modem
               I
               I
  64.108.6.14 (static external IP address)
  Linksys DSL Router
  192.168.1.1 (internal router IP)
               I
               I
  192.168.1.1 (external ISA Server IP)
     ISA Server/Small Business Server
  172.16.7.1 (internal ISA Server IP)
               I
               I
  172.16.7.2 (internal client ip)

  Hope someone can help. I dont understand the logs. It looks almost like some 
are external requests.

  Andrew Myers
  VPN Incorporated
  (937) 704-0591 ext. 202 ------------------------------------------------------
  You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
  To unsubscribe send a blank email to $subst('Email.Unsub') 

Other related posts: