Bugtraq mailing list archives

RE: Microsoft ISA Server Fragmented Udp Flood Vulnerability

From: "Microsoft Security Response Center" <secure () microsoft com>
Date: Mon, 5 Nov 2001 10:48:14 -0800

-----BEGIN PGP SIGNED MESSAGE-----

Hi all,

Wanted to take a moment and clarify this issue that's been posted.

We investigated the issue when it was initially brought to us at
secure () microsoft com, but this is strictly a flooding attack.  The
script simply sends a huge number of fragmented packets to the
server, and recombining the packets takes the server some finite
amount of work.  Send enough of them,quickly enough, and you can
monopolize the server.  But of course this is true for any server,
not just for ISA.  The attack requires a very high bandwidth between
the attack and the server, and normal processing resumes as soon as
the flooding stops.

ISA can be configured to drop fragmented packets and, if this is
done, it significantly helps protect the system against flooding
attacks like this.  However, even so, it's not a cure-all.  Even
inspecting and dropping packets takes some finite amount of work, and
once again if the attacker has sufficient bandwidth, he may be able
to flood the server.  Again, though, there isn't a flaw in ISA server
- - - -- it's strictly a flooding attack.

Regards,
secure () microsoft com

- - - -----Original Message-----
Subject: Microsoft ISA Server Fragmented Udp Flood Vulnerability

- - - - ----[ Summary
A fragmented Udp attack through the microsoft isa server makes the
system hampered by using the cpu at 100%. Meanwhile server uses
processor power too much and therefore packet process ratio
decreases.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBO+be5Y0ZSRQxA/UrAQE0BQf+Ki4QngkkC2KLTys1zsgFp9mPtAx4a85F
bfHvf6r5NLYNpyYu7eMVjINF+WD7AnMiR4lH1SxRTAdldLFQQZCrAmIFegCIBgC9
q3Unkics2g3Xvm9ZwnjhDunvjBQzHBBEKuV+24FaJ6Xq+ku6NqI0jOU6O0rHUV8Q
4kXwAVX3efxnkcF+8UMnzYLxMSe39rjfoF0orowiaDtIvQVTvG7MUP+5cO0rTzAE
iYiZZgM0atsZG02SK1wtq+PRXz7mMV955bXh3x+av2TCROXua67y9jT7ono7B14H
5I/PEXyGCNkG2PfAPhLwJCbUJpW8sAu6YVQFwkpG9J0pwNMzSpAtlQ==
=Lax7
-----END PGP SIGNATURE-----

Current thread:

Microsoft ISA Server Fragmented Udp Flood Vulnerability Tamer Sahin (Nov 03)
- <Possible follow-ups>
- RE: Microsoft ISA Server Fragmented Udp Flood Vulnerability Microsoft Security Response Center (Nov 08)