RE: Firewall service unavailable !!

From: TheLord (TheLord_at_discussions.microsoft.com)
Date: 07/05/04 

Date: Mon, 5 Jul 2004 15:15:02 -0700

Hi sandaruwan,
Thanks for replying to my questions.

the LAT already has the local IP range only, and the packet filter is already enabled.
for those two IPs, i blocked them and blocked the range of it using IP Packet Filter with these settings: "please correct me if i'm mistaking"

Blocking IP (In) 24.x.x.x
        Description :
        Enabled : True
        Filter Mode : Block
        Filter Type : Custom
        Protocol : Any
        Direction : Inbound and Outbound
        Local Port: Any Port
        Remote Port : Any Port
        Local Computer Filter Applies to this IP : Default External IP
        Remote Computer Filter Applies to Network : 24.0.0.0 / 255.0.0.0

Blocking IP (In) 66.x.x.x
        Description :
        Enabled : True
        Filter Mode : Block
        Filter Type : Custom
        Protocol : TCP
        Direction : Inbound
        Local Port : Any Port
        Remote Port : Any Port
        Local Computer Filter Applies to this IP : Default External IP
        Remote Computer Filter Applies to Network : 66.0.0.0 / 255.0.0.0

Blocking IP (In) 66.36.240.144
        Description :
        Enabled : True
        Filter Mode : Block
        Filter Type : Custom
        Protocol : Any
        Direction : Inbound and Outbound
        Local Port: Any Port
        Remote Port : Any Port
        Local Computer Filter Applies to this IP : Default External IP
        Remote Computer Filter Applies to Host: 66.36.240.144

even after blocking them i found them in the sessions. i restarted the services but it didn't do anything. i restarted the server and nothing changed also. after maybe 1hr they disappeared and another IPs jumped in, causing the same problem. but they were in a different range, they were 65.x.x.x, 64.x.x.x, 80.x.x.x, 82.x.x.x, 24.x.x.x ...

any other suggestions ?!

"sandaruwan" wrote:

> HI "theload"
> i would like you to ask to check basic configuration.
> 1. check your LAT table weather that you have only
> included the Local ip range?
> 2.check weather have you enable the packet filters?
> 3.just for the moment block that 2 ip address full access
> to the network?
> 4. this can be happend if ur isa server become open proxy
> server . i faced that problem and wht i was done is
> reimplement the isa server
>
> if you can post it ur new status, that will be great
>
> sandaruwan
>
> >-----Original Message-----
> >hi there,
> >
> >i have ISA 2000 installed on a server.
> >one day, i checked the monitoring and found the Firewall
> Service unavailable.! so i started the service. after
> about 3 to 4hrs, it became unavailable again!!. so, i
> started monitoring the service and found out that there
> are many firewall sessions "(about 300 - 600 in the
> services monitoring)", i checked the "sessions monitoring"
> and there is only 2 firewall sessions! i was shocked that
> 2 firewall sessions are causing this. when i "abort
> session" those IPs, when i go back to the Services, the
> sessions went back to 2. those IPs doesn't belong to the
> internal network. this is 1 of the IPs, 66.36.240.144 and
> the other starts with 24.x.x.x.
> >
> >and i've noticed when i keep the sessions go up in
> numbers, the firewall service becomes unavailable. i
> checked the firewall log file and found out those 2 IPs
> are trying to attack port 25 from any port. so i made an
> IP Packet Filter for port 25. but that didn't work.
> >
> >can someone please give me a hint on what to do? i'm
> facing this problem since about 1 month and i've been
> searching here and there, i even posted a thread in
> isaserver.org, but no answer.
> >
> >i'll be thankful
> >.
> >
>

Relevant Pages

  • RE: Sessions Resource Exhaustion
    ... it does not mean the IPS and/or Firewall is vulnerable... ... If the limit differs of the specification then you have a design flaw, ... Just to add more in this topic, I want to point that sessions limitations is ...
    (Focus-IDS)
  • Firewall service unavailable !!
    ... i checked the monitoring and found the Firewall ... i checked the "sessions monitoring" ... session" those IPs, when i go back to the Services, the ...
    (microsoft.public.isa)
  • RE: Sessions Resource Exhaustion
    ... Please read the definition of DoS Attacks. ... I believe any firewall will be a victim if we setup a test launching ... IPS can take care of many of these but an attacker can still modify ... Subject: Sessions Resource Exhaustion ...
    (Focus-IDS)
  • Re: Analysing and configuring IPS/IDS Policies
    ... If you have no faith in the firewall or you are concerned about more ... Remove the IPS from the network. ... policies and logs on those devices. ...
    (Focus-IDS)
  • RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)
    ... IPS has been pretty much been expected to weed out the known bad traffics on ... looks for these type of behaviour in a sequence of packets, ... firewall don't make these kind of mistakes. ... decently good ones will go through the trouble of reassembling the packets ...
    (Firewall-Wizards)