1. Understanding the Problem
I already worked in many cases where customer wants to know why ISA is alerting that it might be under attack by logging events such as:
Figure 1 – Number of TCP Connections.
…and also this one:
Figure 2 – Denied Connections per Minute.
These alerts are part of the default Flood Mitigation settings in ISA Server 2006 and are trigged when ISA detects that the amount of traffic exceed the default setting. This can be a false positive, which means that this amount of connection might be coming from a legitimate system and the behavior might be because this is a really busy system. But, it also can be a real attack due a compromised system in your network.
The alert is pretty straight forward and it identifies the source system that is generating this huge amount of traffic. The problem is that sometimes you go to this system, run an Anti-Virus scan and nothing comes up, run an Anti-Spyware and nothing comes up, etc. Sometimes the user is just playing around with some cool tools that he found online or sometimes there is a malicious process that it is actually sending this traffic against ISA Server.
2. Netmon 3.2 Can Help you on that!
The reason why I’m talking about Netmon 3.2 now is because during TechEd Brazil I met a guy from ISSA Brazil and he was telling me about his experience with Netmon 3.2 and how the security specialists were amazed with the improvements in Netmon 3.2. He actually wrote an article in the ISSA Magazine (in Portuguese) about Netmon 3.2, that you can download it here. This was a great feedback from the field and it is really important to us to spread it out the evolution of such great tool and how this can help people in the field.
For this scenario that I’m explaining here Netmon 3.2 was perfect, mainly because it could show me what other tools could not. For this case, when we ran Netmon in the source machine (the one that ISA Server was showing in the alert) we found out what process was sending the traffic:
Figure 3 – Process that was sending the traffic.
As you can see, for this example an internal user was using the freeware tool NMap Scanner to perform a scan against the internal IP of the ISA Server, which obviously was a bad idea. This is only a simple example of how Netmon 3.2 can assist you to identify a process that is generating an unexpected traffic.
The flood mitigations settings on ISA Server can help you to identify and block hosts that are sending an exaggerated amount of traffic to ISA Server. This is the first step to assist you to block a compromised system. Moving further you need to understand why the source machine is doing that and this article explained you how Netmon 3.2 will assist you on that. You can download Netmon 3.2 from here.