Re: SBS Sp1 - ISA2004 - IP Half scan attacks

Thanks for your reply.

Thanks for the additional information regarding this subject .

This has cleared things up for me.

Kind regards

Andy

"Crina Li (MSFT)" <v-crinal@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:uQqfQbDiFHA.3296@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi Andy,
>
> Thank you for posting in SBS newsgroup.
>
> From your description, I understand you received the intrusion detection
> alert warning that ISA Server detected an Internet Protocol (IP) half-scan
> attack from IP address 83.245.41.82. If I have misunderstood your
> concerns, please do not hesitate to let me know.
>
> ISA Server features an intrusion-detection mechanism that identifies when
> an attack is attempted against your network. You can configure ISA Server
> to generate an "Intrusion detected" event, which is defined in the stored
> ISA Server configuration, whenever specific types of attacks are detected.
>
> To detect unwanted intruders, ISA Server compares network traffic and log
> entries to well-known attack methods. Suspicious activities trigger
> alerts.
> Actions include connection termination, service termination, e-mail
> alerts,
> logging, and others. If you have enabled the intrusion detection on ISA,
> you will receive the warning when you are attacked. You may not worry
> about
> it because ISA will block these traffics when specific types of attacks
> are
> detected.
>
> You can check if you have enabled the intrusion detection as following:
>
> 1. On ISA Management, expand Server name and Configuration.
> 2. Click General.
> 3. In the right pane, click Enable Intrusion Detection and DNS Attack
> Detection.
> 4. Then you can enable it or not.
>
> If intrusion detection is enabled, you can configure which of the
> following
> intrusions trigger alerts:
>
> - All-port scan attack.
> - Well-known port scan attack.
> - IP half-scan attack.
> - Land attack.
> - Ping-of-death attack.
> - UDP bomb attack.
> - Windows out-of-band (WinNuke) attack.
>
> Hope the information help and I look forward to your reply.
>
> Best regards,
>
> Crina Li (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> --------------------
> | From: "andy" <notonyour@xxxxxxxxxxx>
> | Subject: SBS Sp1 - ISA2004 - IP Half scan attacks
> | Date: Wed, 13 Jul 2005 13:56:26 +0100
> || Newsgroups: microsoft.public.windows.server.sbs
> | |
> | Hello everyone
> |
> | Can anyone help me with a small case of paranoia I'm having?
> |
> | I have ISA2004 on my SBS box and I'm receiving the following alert at
> least
> | every 10 mins or so via e-mail;
> |
> | "ISA Server detected an Internet Protocol (IP) half-scan attack from IP
> | address 83.245.41.82." (Same IP address for every alert).
> |
> | I have read the ISA help re: half scan attacks, but don't know enough to
> be
> | able to rate it as a security threat or not..
> |
> | Any clarification would be most appreciated.
> |
> | Kind regards
> |
> | Andy
> |
> |
> |
>


.

Loading