Learn How Your ISA Server Helps Block CAN-2005-0688 (Land Attack Vulnerability) Traffic
Note
This page was first published on Wednesday, June 15, 2005.
The first course of action taken against CAN-2005-0688 must be protecting and patching all affected computers. Details of this issue can be found here.
The following information explains how to use Microsoft Internet Security and Acceleration (ISA) Server 2000 and 2004 to help block malicious traffic as described in CAN-2005-0688 and to protect computers on internal networks. Servers running ISA Server 2000 in cache mode cannot restrict CAN-2005-0688 traffic. Additionally, ISA 2000 does not perform packet filtering on traffic received from LAT-based hosts. ISA Server 2004 has no such limitations.
The first section of this article contains technical details about CAN-2005-0688:
- Affected Traffic
This article also discusses how ISA Server can mitigate a CAN-2005-0688 attack:
- Protecting internal networks from external attack with ISA Server
- Helping to prevent outbound CAN-2005-0688 attacks through ISA Server
- Protecting the ISA Server computer from CAN-2005-0688 attacks
This article also discusses:
- How to Make Sure ISA Server 2000 Is Correctly Configured
- How to Make Sure that ISA Server 2004 Is Correctly Configured
Disclaimer
Affected Traffic
Protecting Internal Networks from External Attack with ISA Server
Helping to Prevent Outbound CAN-2005-0688 Attacks Through ISA Server
Protecting the ISA Server Computer from CAN-2005-0688 Attacks
How to Make Sure that ISA Server 2000 Is Correctly Configured
How to Make Sure that ISA Server 2004 Is Correctly Configured
For More Information
Disclaimer
Microsoft makes no warranties about this information. In no event shall Microsoft be liable for any damages whatsoever arising out of or with the use or spread of this information. Any use of this information is at the user’s own risk.
Affected Traffic
Table 1 lists affected traffic known to be used by CAN-2005-0688. This data is current as of 10:40 AM Wednesday, March 30, 2005.
| # | Protocol | Command | Known to Be Used by CAN-2005-0688? |
|---|---|---|---|
1 |
Any IP |
Source-IP = Victim IP |
Yes |
Protecting Internal Networks from External Attack with ISA Server
ISA Server 2000 in firewall or integrated modes will block CAN-2005-0688 packets if all of the following is true:
- Packet Filtering is enabled
- The LAT is properly configured
ISA Server 2004 blocks all CAN-2005-0688 packets.
For the network protected by a server running ISA Server to be vulnerable from outside attack, specific rules would need to be written to allow traffic on these ports.
DO enable Internet protocol (IP) packet filtering for ISA 2000.
Note
Customers who have not enabled IP packet filtering should review that procedure on this page.
Helping to Prevent Outbound CAN-2005-0688 Attacks Through ISA Server
Because ISA 2000 performs source-NAT on all outbound traffic, it will not be able to translate this traffic and will drop it. ISA 2004 will recognize this traffic as “spoofed” and drop it.
Protecting the ISA Server Computer from CAN-2005-0688 Attacks
A Windows server that has ISA Server 2000 installed is only vulnerable to attack by CAN-2005-0688 if ISA Server is operating in:
- Cache mode
- Firewall or Integrated mode with a misconfigured LAT
- Firewall or Integrated mode with Packet Filtering disabled
..or the traffic originates from the LAT.
A Windows server that has ISA Server 2004 installed is not vulnerable to CAN-2005-0688 traffic.
How to Make Sure that ISA Server 2000 Is Correctly Configured
To enable IP packet filtering:
- In ISA Management, expand Servers and Arrays, <ISA Server name>, Access Policy.
- Right-click IP Packet Filters, select Properties.
- Check the Enable Packet Filtering box.
How to Make Sure that ISA Server 2004 Is Correctly Configured
ISA 2004 requires no additional configuration to block this traffic.