-----BEGIN PGP SIGNED MESSAGE----- Hi all, Wanted to take a moment and clarify this issue that's been posted. We investigated the issue when it was initially brought to us at secureat_private, but this is strictly a flooding attack. The script simply sends a huge number of fragmented packets to the server, and recombining the packets takes the server some finite amount of work. Send enough of them,quickly enough, and you can monopolize the server. But of course this is true for any server, not just for ISA. The attack requires a very high bandwidth between the attack and the server, and normal processing resumes as soon as the flooding stops. ISA can be configured to drop fragmented packets and, if this is done, it significantly helps protect the system against flooding attacks like this. However, even so, it's not a cure-all. Even inspecting and dropping packets takes some finite amount of work, and once again if the attacker has sufficient bandwidth, he may be able to flood the server. Again, though, there isn't a flaw in ISA server - - - -- it's strictly a flooding attack. Regards, secureat_private - - - -----Original Message----- Subject: Microsoft ISA Server Fragmented Udp Flood Vulnerability - - - - ----[ Summary A fragmented Udp attack through the microsoft isa server makes the system hampered by using the cpu at 100%. Meanwhile server uses processor power too much and therefore packet process ratio decreases. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBO+be5Y0ZSRQxA/UrAQE0BQf+Ki4QngkkC2KLTys1zsgFp9mPtAx4a85F bfHvf6r5NLYNpyYu7eMVjINF+WD7AnMiR4lH1SxRTAdldLFQQZCrAmIFegCIBgC9 q3Unkics2g3Xvm9ZwnjhDunvjBQzHBBEKuV+24FaJ6Xq+ku6NqI0jOU6O0rHUV8Q 4kXwAVX3efxnkcF+8UMnzYLxMSe39rjfoF0orowiaDtIvQVTvG7MUP+5cO0rTzAE iYiZZgM0atsZG02SK1wtq+PRXz7mMV955bXh3x+av2TCROXua67y9jT7ono7B14H 5I/PEXyGCNkG2PfAPhLwJCbUJpW8sAu6YVQFwkpG9J0pwNMzSpAtlQ== =Lax7 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Nov 08 2001 - 15:30:16 PST