ISA Server does not log an IP packet that consists of only an IP header

Just for the record:
If you have ever sent to your ISA Server 2004/2006 or attempted to sent through your ISA an IP packet that consists of only an IP header, you may have noticed that your ISA logs do not show anything.
Here is the explanation why:
http://support.microsoft.com/kb/936905

Windows Server 2003 simply drops those packets, without forwarding them to ISA.
These packets do not pass through ISA or if they target one of ISA's IP addresses, there is no reply packet, they are silently dropped, so there is nothing to worry about.
But you'll never know that someone made some "funky" attempts, assuming that you may want to know.

Bellow is the nmap command, just in case you want to test it yourself(-p55 means IP Protocol 55, will set the Protocols field within the IP header, I've entered a random number).
Note that if you use -p6 which means TCP, nmap will send an ACK segment to a random destination port.
Also if you use -p17 which means UDP, nmap will send an UDP packet to a random destinaton port.
And if you use -p255, and the destination host is on the local network, nmap will first send an ARP request for the destination IP address, and if an ARP reply is received, the IP packet that consists of only an IP header will be sent to the specified destination. If you replace the host destination with the entire local network, say 192.168.22.0/24, nmap will first send an ARP request for the every IP address from the specified network range, and for every host that sends an ARP reply, the IP packet that consists of only an IP header will be sent.

Or the hping3 command(--iproto 55 means IP Protocol 55, will set the Protocols field within the IP header):

Such a packet captured with Wireshark:

Comments (2) -

  • Jim Harrison

    8/19/2008 6:38:46 AM |

    It seems you simultaneously quoted and missed the important part of the KB article you linked, which reads: "This issue occurs because Windows Server 2003 drops any packet that contains only an IP header."  As such, when only an IP header is received, Windows sends it to the bit-bucket before ISA even gets a chance to see; much less log it.  As I've stated to so many others, "if ISA can't see it, it can't log it".

    I don't know what you expect..?

  • adimcev

    8/19/2008 8:54:19 AM |

    Hi Jim,
    Wow!
    What have I missed ?
    How about you, eh ?
    According to the above blog entry posted by me:
    "Windows Server 2003 simply drops those packets, without forwarding them to ISA."
    Adding the complete line you've quoted from Microsoft's doc:
    "Windows Server 2003 drops the packet without forwarding it to Microsoft Internet Security and Acceleration (ISA) Server."
    So ?
    As said in the ICSA document, this should be,IMHO, documented(and it is) in order to be known:
    www.icsalabs.com/.../ISA2004.pdf
    I do not expect anything, this was a simple blog entry noticing people about that.
    If we do not know what ISA's sees, how would we know what ISA would log ?
    That was the point of this blog entry....
    Take care,
    --Adrian

Comments are closed