Re: Firewall-1 and ISA D.o.S.

From: overclocking_a_la_abuela@hotmail.com
Date: 02/18/02

Previous message: Wes Hardaker: "Re: UCD-4.2.2 and UCD-4.2.3 snmptrapd verification"
Maybe in reply to: overclocking_a_la_abuela@hotmail.com: "Firewall-1 and ISA D.o.S."
Next in thread: Lincoln Yeoh: "Re: Firewall-1 and ISA D.o.S."
Next in thread: overclocking_a_la_abuela@hotmail.com: "Re: Firewall-1 and ISA D.o.S."
Reply: Lincoln Yeoh: "Re: Firewall-1 and ISA D.o.S."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 18 Feb 2002 12:43:28 -0000
From: <overclocking_a_la_abuela@hotmail.com>
To: vuln-dev@securityfocus.com

('binary' encoding is not supported, stored as-is)

In-Reply-To: <3.0.5.32.20020218085949.012f4100@192.228.128.13>

When you stop the attack, the firewall recovers, but
think that in the case of ISA D.o.S. I´m sending
spoofed packets so it will be more difficult to find the
attacker ( if you have not IDS or similar ).
Suppose the length of the D.o.S. is 1 hour... nobody
can surf the web, you can not access the ISA...,
probably no VPN,...

Think about it.

Hugo Vázquez Caramés
Security Consultant

>Received: (qmail 19118 invoked from network); 18
Feb 2002 06:09:16 -0000
>Received: from outgoing3.securityfocus.com
(HELO outgoing.securityfocus.com) (66.38.151.27)
> by mail.securityfocus.com with SMTP; 18 Feb
2002 06:09:16 -0000
>Received: from lists.securityfocus.com
(lists.securityfocus.com [66.38.151.19])
> by outgoing.securityfocus.com (Postfix)
with QMQP
> id 1EBEAA44EF; Sun, 17 Feb 2002
21:25:10 -0700 (MST)
>Mailing-List: contact vuln-dev-
help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <vuln-dev.list-id.securityfocus.com>
>List-Post: <mailto:vuln-dev@securityfocus.com>
>List-Help: <mailto:vuln-dev-
help@securityfocus.com>
>List-Unsubscribe: <mailto:vuln-dev-
unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:vuln-dev-
subscribe@securityfocus.com>
>Delivered-To: mailing list vuln-
dev@securityfocus.com
>Delivered-To: moderator for vuln-
dev@securityfocus.com
>Received: (qmail 24253 invoked from network); 18
Feb 2002 00:53:21 -0000
>Message-Id: <3.0.5.32.20020218085949.012f410

Previous message: Wes Hardaker: "Re: UCD-4.2.2 and UCD-4.2.3 snmptrapd verification"
Maybe in reply to: overclocking_a_la_abuela@hotmail.com: "Firewall-1 and ISA D.o.S."
Next in thread: Lincoln Yeoh: "Re: Firewall-1 and ISA D.o.S."
Next in thread: overclocking_a_la_abuela@hotmail.com: "Re: Firewall-1 and ISA D.o.S."
Reply: Lincoln Yeoh: "Re: Firewall-1 and ISA D.o.S."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Block Attacker showing wierd name - not just IP...
... I have seen this with only one ISA in the "array." ... I wonder if the attack comes fast enough so that ISA is ... >It means you have the script running on more than one ISA ...
(microsoft.public.isa)
RE: Help me
... you could enable logging on your router to determine what / ... Further (although I'm not that familiar with ISA) doesn't ISA have the ... allowed),their server logged all requests to my router and firewall from the ... except (attack, scan ping ...) in a month. ...
(Security-Basics)
RE: IDS that retaliates.
... Replying to spoofed packed with an attack could have nasty consequences. ... If someone spoofed packets with a source address belonging to a bank, ... you initated a response that attacked the bank, ...
(Security-Basics)
Firewall-1 and ISA D.o.S.
... Check Point was not able to reproduce this attack ... a special situation: a firewall that accepts ... packets to port 80 with the SYN flag. ... In the case of Microsoft ISA Server I have been ...
(Vuln-Dev)
Re: Publishing ftp server
... if the attack "fits" one of the attack profiles ISA is built to look ... Understanding the ISA 2004 Access Rule Processing ... Microsoft Internet Security & Acceleration Server: Partners ... Microsoft ISA Server Partners: Partner Hardware Solutions ...
(microsoft.public.isa.publishing)