RE: SBS Sp1 - ISA2004 - IP Half scan attacks

Hi Andy,

Thank you for posting in SBS newsgroup.

>From your description, I understand you received the intrusion detection
alert warning that ISA Server detected an Internet Protocol (IP) half-scan
attack from IP address 83.245.41.82. If I have misunderstood your
concerns, please do not hesitate to let me know.

ISA Server features an intrusion-detection mechanism that identifies when
an attack is attempted against your network. You can configure ISA Server
to generate an "Intrusion detected" event, which is defined in the stored
ISA Server configuration, whenever specific types of attacks are detected.

To detect unwanted intruders, ISA Server compares network traffic and log
entries to well-known attack methods. Suspicious activities trigger alerts.
Actions include connection termination, service termination, e-mail alerts,
logging, and others. If you have enabled the intrusion detection on ISA,
you will receive the warning when you are attacked. You may not worry about
it because ISA will block these traffics when specific types of attacks are
detected.

You can check if you have enabled the intrusion detection as following:

1. On ISA Management, expand Server name and Configuration.
2. Click General.
3. In the right pane, click Enable Intrusion Detection and DNS Attack
Detection.
4. Then you can enable it or not.

If intrusion detection is enabled, you can configure which of the following
intrusions trigger alerts:

- All-port scan attack.
- Well-known port scan attack.
- IP half-scan attack.
- Land attack.
- Ping-of-death attack.
- UDP bomb attack.
- Windows out-of-band (WinNuke) attack.

Hope the information help and I look forward to your reply.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "andy" <notonyour@xxxxxxxxxxx>
| Subject: SBS Sp1 - ISA2004 - IP Half scan attacks
| Date: Wed, 13 Jul 2005 13:56:26 +0100
|| Newsgroups: microsoft.public.windows.server.sbs
| |
| Hello everyone
|
| Can anyone help me with a small case of paranoia I'm having?
|
| I have ISA2004 on my SBS box and I'm receiving the following alert at
least
| every 10 mins or so via e-mail;
|
| "ISA Server detected an Internet Protocol (IP) half-scan attack from IP
| address 83.245.41.82." (Same IP address for every alert).
|
| I have read the ISA help re: half scan attacks, but don't know enough to
be
| able to rate it as a security threat or not..
|
| Any clarification would be most appreciated.
|
| Kind regards
|
| Andy
|
|
|

.

Loading