ISA 550/570 IPS Windows HTTP.sys Denial Of Service

Similar Messages

• Performance degration with isa 550 on 100/10mbit line normal?

  hi,
  I installed an isa 550 on a 100/10 mbit line.
  if I connect my macbook directly to the router, I got with speedtests 90mbit down, 9 mbit up - that's o.k.
  with a plain vanilla isa 550 and only my macbook connected I got 70-80 mbit down, 9 mbit up, that's still o.k.
  but isa connected with the rest of our network (nothing extraordinary - several macs and pcs) and configured with a few port-forwardings, that speedtest dropped to 50 mbit down and 9 mbit up.
  you can see, upload-speed never changed, but download speed.
  so I would like to know, is this normal, that the speed of our internet-connection declined so much with a few firewall-rules and 5 clients - is the processor of the isa to slow for this internet-line?
  thx for your opinions in advance!
  regards, ferdinand

  Hi Olivier, thank you for using our forum, my name is Johnnatan I am part of the Small business Support community. ISA new product are really nice device, with multiple block features, to answer your question you can block specific web sites per URL, here you can see two ways to block that websites.
  http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3551
  http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3522
  If you want to compare the features of both devices you can check this link. However the main difference is the 550 has 6 LAN ports, the 570 has 9 and supports more VPN tunnels.
  For VPN SSL is supported without additional cost, here you can see how to configure it.
  http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3533
  About your question regardless the Fortigate router, I have no information about it, I apologize for that.
  I hope you find this answer useful,
  *Please mark the question as Answered or rate it so other users can benefit from it"
  Greetings,
  Johnnatan Rodriguez Miranda.
  Cisco Network Support Engineer.

• HTTP.SYS fails to load after ProLiant NIC driver update on Server 2008 R2

  Hi team,
  This has been driving me crazy for a week and I can't find any reference to solving the problem in Technet or any forums...
  I have a ProLiant ML350G5 server that I installed Server 2008 R2 on and migrated all my domain AD, DNS, File Services, Shares and files from SBS2003 (end of life, so let's take that out of the network) - Exchange and SharePoint were not being used so Standard
  server 2008 was the choice seeing that the server hardware is 4 years old...
  Everything went well, migration was successful, AD was primary and active.
  Then (stupidly) I decided I'd better install all the updated drivers and management software from HP. The NIC is showing as an HP NC373i which is a Broadcom BCM5708C. I updated the FLASH in that card (HP utility) and updated the driver to the latest version
  7.8.52.0 along with a bunch of other updates all handled by HP's Support Solutions Framework (msi).
  After the reboot required, I noticed that the Print Spooler (set to Automatic) didn't start, neither did IIS or Web Services...
  Trying to manually start them gives the error that a dependency failed. Now Print Spooler only uses HTTP (no longer a "service" but integrated into the kernel for multiple http connections on the same port and controlled using netsh http command
  prompt...) DCOM and RPC. The last 2 are running, so that leaves HTTP as the culprit.
  The Event Log shows that HTTP failed to load as "the services cannot be started. Either because it is disabled or because
  it has no enabled devices associated with it"
  From an administrator cmd prompt, net start http gives the same failure error.
  netsh http show servicestate returns "The handle is invalid" - it's not seeing http at all...
  OK. If you've read this far, thank you - keep going...
  Here's my thinking... Updating the NIC driver has "broken" the association with HTTP.SYS - How to I get that association back?
  I uninstalled anything http related, IIS, BITS, Web, Printing Services. Reboot after reboot and still no HTTP. I deleted http.sys from \windows\system32\drivers and did sfc to get windows to give me a clean one. Reboot, still doesn't load so it's not a damaged
  http.sys.
  I uninstalled EVERYTHING ProLiant, uninstalled the NIC, deleted the bxnd60a.sys driver so Windows would use it's own, rebooted, let it load NIC drivers, set the IP's up again, reboot - still no http.sys loading...
  I've tried older versions of drivers from Broadcom, the latest version of drivers, still in the same hole...
  Does anyone know how I can get HTTP.SYS to associate with the NIC? Can I do anything in the registry to achieve this? Do I have to do a System State Backup (is that the only way to preserve the AD and DNS?) scrub the server and start from scratch and then
  restore the System State to get my AD and DNS back? If I do that will it bring the http.sys fault back?
  I'm really at a loss - please, someone, please help...

  Hi team,
  This has been driving me crazy for a week and I can't find any reference to solving the problem in Technet or any forums...
  I have a ProLiant ML350G5 server that I installed Server 2008 R2 on and migrated all my domain AD, DNS, File Services, Shares and files from SBS2003 (end of life, so let's take that out of the network) - Exchange and SharePoint were not being used so Standard
  server 2008 was the choice seeing that the server hardware is 4 years old...
  Everything went well, migration was successful, AD was primary and active.
  Then (stupidly) I decided I'd better install all the updated drivers and management software from HP. The NIC is showing as an HP NC373i which is a Broadcom BCM5708C. I updated the FLASH in that card (HP utility) and updated the driver to the latest version
  7.8.52.0 along with a bunch of other updates all handled by HP's Support Solutions Framework (msi).
  After the reboot required, I noticed that the Print Spooler (set to Automatic) didn't start, neither did IIS or Web Services...
  Trying to manually start them gives the error that a dependency failed. Now Print Spooler only uses HTTP (no longer a "service" but integrated into the kernel for multiple http connections on the same port and controlled using netsh http command prompt...)
  DCOM and RPC. The last 2 are running, so that leaves HTTP as the culprit.
  The Event Log shows that HTTP failed to load as "the services cannot be started. Either because it is disabled or because it has no enabled devices
  associated with it"
  From an administrator cmd prompt, net start http gives the same failure error.
  netsh http show servicestate returns "The handle is invalid" - it's not seeing http at all...
  OK. If you've read this far, thank you - keep going...
  Here's my thinking... Updating the NIC driver has "broken" the association with HTTP.SYS - How to I get that association back?
  I uninstalled anything http related, IIS, BITS, Web, Printing Services. Reboot after reboot and still no HTTP. I deleted http.sys from \windows\system32\drivers and did sfc to get windows to give me a clean one. Reboot, still doesn't load so it's not a damaged
  http.sys.
  I uninstalled EVERYTHING ProLiant, uninstalled the NIC, deleted the bxnd60a.sys driver so Windows would use it's own, rebooted, let it load NIC drivers, set the IP's up again, reboot - still no http.sys loading...
  I've tried older versions of drivers from Broadcom, the latest version of drivers, still in the same hole...
  Does anyone know how I can get HTTP.SYS to associate with the NIC? Can I do anything in the registry to achieve this? Do I have to do a System State Backup (is that the only way to preserve the AD and DNS?) scrub the server and start from scratch and then restore
  the System State to get my AD and DNS back? If I do that will it bring the http.sys fault back?
  I'm really at a loss - please, someone, please help...

• Http.Sys Bad Request - Url

  Hi,
  I have a virtual directory hosted in 2008 server R2 iis with Directory Browsing enabled.
  The virtual directory has sub-folder named :
  ים לכב
  When I try to browse this sub-folde i get 400 bad request.
  The request is being rejected within http.sys driver (I can see it in "C:\Windows\System32\LogFiles\HTTPERR\httperr.log")with the reason "url".
  the encoded name is :
  %D7%99%D7%9D%20%D7%9C%D7%9B%EF%80%A0%D7%91
  (the line from the httperr.log "2015-03-24 10:04:43 ::1%0 49345 ::1%0 80 HTTP/1.1 GET /Test/%D7%99%D7%9D%20%D7%9C%D7%9B%EF%80%A0%D7%91/ 400 - URL -" )
  Any Ideas?

  Hi,
  >>The request is being rejected within Http.sys - the kernel driver that route HTTP requests to iis processes.
  Yes, agree with you. But from my point of view, this issue is an HTTP error and the IIS community may be more familiar with the HTTP related issue.
  Besides, I found something related, it may be helpful:
  https://support.microsoft.com/en-us/kb/820129/en-us?wa=wsignin1.0
  Please try to change the value of AllowRestrictedChars to 1.
  Also, please check if your URL contains private UCS characters. According to RFC 3987, the use of private UCS characters is restricted.
  For detailed information, please refer to the link below:
  https://www.ietf.org/rfc/rfc3987.txt
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Cisco works LMS 4.0 ,Apache HTTP Server CVE-2011-3192 Denial Of Service Vulnerability

  Cisco works LMS 4.0 ,Apache HTTP Server CVE-2011-3192 Denial Of Service Vulnerability
  This vulnerability has been fixed in release apache 2.2.20 and further corrected
  in 2.2.21. You are advised to upgrade to version 2.2.21 (or newer) or the
  legacy 2.0.65 release,
  Can any one give the steps to upgrade the apache http server 2.2.10 to 2.2.21 in windows 2008 server?

  For the following PSIRT:
  http://www.cisco.com/en/US/products/csa/cisco-sa-20110830-apache.html
  Download the following patch "lms40-win-Oct2011-su1-0.zip" :
  http://www.cisco.com/cisco/software/release.html?mdfid=283434800&flowid=19062&softwareid=280775103&os=Windows&release=4.0&relind=AVAILABLE&rellifecycle=&reltype=latest
  The instructions should be in the zip file how to install the patch.
  This should cover all theses bugs that you can query in the bug tool kit:
  http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
  CSCte45565
  CSCto12712
  CSCto23584
  CSCto23622
  CSCto35544
  CSCto35577
  CSCtq48990

• ISA 550 Firewall Rule - how to specify a domain (to resolve a DDNS)

  I want to lock down access to an ISA 550 Firewall to 4 locations.  2 of the locations have dynamic IP addresses.
  Both sites have a dynamic domain maintained at no-ip.org.
  How can I enter 'name.no-ip.org' in to a firewall rule?

  There is not a way to use a domain name in a firewall rule.  When the traffic comes in the packets are addressed with IPs, not with domain names, so when the router looks things up it compares IP addresses. 
  In fact I have never seen this done, even on an enterprise device.  I'm not saying nothing can do it, but it definitely isn't possible with the ISA. 
  Your best bet would be to try and get some static IPs for those two sites as well.
  It is however possible to setup site-to-site VPNs between these devices even if some of them are using DDNS.  This does require those other site's routers to support site-to-site tunnels.  That way those four sites would be able to access resources behind the ISA, but no one else would, and you could still keep using the DDNS for the two dynamic sites.
  Thank you for choosing Cisco,
  Christopher Ebert
  Network Support Engineer - Cisco Small Business Support Center
  *please mark/rate helpful answers*

• IPS-4240-K9-sys-1.1-a-5.0-2.img for pkg

  Hi All,
  What's the correct pkg file for the IPS-4240-K9-sys-1.1-a-5.0-2.img for pkg
  Kindly confirm the same

  After upgration IPS-4240-K9-sys-1.1-a-5.0-2.img to IPS-4240-K9-sys-1.1-a-6.1-1-E3.img i am getting below message
  There is no license key installed on the IPS-4240. The system will continue to operate with the currently installed signature set. A valid license must be obtained in order to apply signature updates. Please go to http://www.cisco.com/go/license
  to obtain a new license or install a license. Its not going to promt mode ?
  How can i go to ips configuration mode?
  Any steps which are to be done first?

• Access to WAN Port 2 on an CISCO ISA 550 Firewall

  Hi all
  On a CISO ISA 550 Firewall i created a 2 WAN Port Failover whichs works fine. But how can access the WAN2 Port (see Attaments) from my Workstation even the WAN1 Port is up an runnig, i created also a new Zone and Firewall Rule but this dosen't work..
  Thanks for your help

  Upgrade Firmware...

• ISA 550 Error - sdsd: http_get: Error: http_read_response failed, returned -2

  Hi all,
  I have a problems with my installed Cisco ISA 550 firewall
  I received below error under the log messages.
       Could you be able to explain what is the reason for this message ?

  Hi Bikram,
  HW and SW informations are below, and i have attached  two captures of two types (error, information) of logs messages what I  received.
  Firmware (Primary/Secondary)     : 1.2.17/1.0.3
  Bootloader Version                         : 0.0.20 (dual)
  PID VID                                           : ISA550-K9 V01
  Plz reply me if you want any further details.
  Thanks,
  Charith

• Cisco ISA 550 NAT problem

  Hi all,
  I have bought a Cisco ISA 550 small business firewall and I had to face to a problem when I configure the NAT.
  My scenario is,
  I have a mail server in my LAN which is need to be access from both inside and outside
  My lan network is 192.168.0.0/24
  I have a PPPoE WAN connection with a static IP
  Mail server IP 192.168.0.15/ 24
  There is not a DMZ zone. I need to NAT this server to my WAN IP and that WAN IP is also used
  to provide internet connection to other LAN users. I could do this with my previous ADSL
  router and i tried to do this with firewall but couldn't acheive the task.
  Hope a help from some expert.
  Thanks,
  Charith

  Do you want that your internal clients connect to the WAN IP and get natted to the local LAN IP?
  Then open the Maintain and Operate Guide at cisco.com and search for "hairpinning".
  Michael
  Please rate all helpful posts

• IPS and HTTPS check

  Hi,
  Can Cisco IPS/AIP module identify torrent traffic tunneled in HTTPS?
  Can IPS inspect https traffic for detect any anomaly?
  Regards.

  Hi,
  IMHO by default you can't inspect any crypted traffic.
  You would have to have traffic ended on ASA to decrypt and then send to client.
  HTH
  Pael

• ISA 550 Bandwidth Management.

  I wanted to know an automated or manual method of bandwidth management for ISA 550 with 1.2.x.x firmware. I currently have 30 nodes on a 2mbps link and if one host starts downloading others are left with very little or no bandwidth at all. Is there a way I can regulate this automatically or manually?           

  Sounds like Ciscomax got you fixed up.  Also wanted to mention, should the need arise, you can do bandwidth throttling.  We do this in some circumstances on Guest Wireless networks to prevent guests from hogging to much bandwidth.  So, for example, if you wanted to limit bandwidth on a GuestWiFi to 512K/128K, you would do the following.
  From within the ISA500 Config Utility, select Networking on the left
  Expand QoS and select General Settings
  Select to Enable WAN QoS and select Save
  Expand WAN QoS and select Traffic Selector (Classification)
  Select Add
  Class Name:                   G-WiFi (In)
  Source Address:                        Any
  Destination Address:      Guest_Network
  Select OK
  Select Add (again)
  Class Name:                   G-WiFi (Out)
  Source Address:                        Guest_Network
  Destination Address:      Any
  Select OK
  Select Save
  Select QoS Policy Profile under QoS, WAN QoS in the Networking section on the left
  Select Add
  Policy Name: G-WiFi (In)
  Select the Inbound Traffic radio button
  Select Add
  Select G-WiFi (In) from the Class drop down menu
  DSCP Marking:  None
  CoS Marking:     7
  Rate-limiting:      512
  Select OK
  Select OK
  Select Add (again)
  Policy Name: G-WiFi (Out)
  Select the Outbound Traffic radio button
  Select Add
  Select G-WiFi (Out) from the Class drop down menu
  Queue:               Q1
  DSCP Marking:  None
  Rate-limiting:      128
  Select OK
  Select OK
  Select Save

• PEAP - NT Domain Denial Of Service Attack

  I'm looking for some feedback on the following percieved issue.
  Assumptions:
  1) A PEAP implementation where PEAP authentication is configured to use a static NT user/pass combination as credentials.
  2) The ACS has an unknown user policy to check the NT Domain
  3) Your NT Domain security Policy locks accounts after 5 failed attempted logings
  Queation:
  Given that PEAP does not enforce client side verification and that any XP SP1 (perhaps the CISCO ACU depending on configuration) client can attempt a PEAP login. If a client maliciously attacks by entering wrong passwords they could create a Denial Of Service (legitimate users will be locked out) attack against the NT Domain
  Thoughts?

  PEAP does not provide credential caching. Any logins to Windows NT file systems will be separate and subsequent to PEAP login.
  PEAP supports silent session resume (upon RADIUS session timeout) when only the first phase of PEAP is executed. In the second phase, the previous authentication state is reused. Hence, users will not be required to re-authenticate until the PEAP session timeout expires. The duration time of the PEAP session timeout is configurable from Cisco Secure ACS graphical user interface (GUI).
  You can find more information in this URL:
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_qanda_item09186a008010018c

• Safari denial of service attack

  Hi all,
  We have a Linux server running the Moodle 2.x Learning Management System that authenitcates against a CAS (Central Autentication Service) server and we have an issue only with Safari browsers where they send continuous https requests to the Moodle server. We are having a hard time figuring out what is triggering it but it is happening in these operating systems that we have seen
  10.8.5
  10.9.1
  10.9.2
  10.6.8
  With these versions of Safari.
  6.1.3, 7.02, 5.1.10
  There could be other OS and Safari versions, we are not sure. We are doing a "tail -f /var/log/httpd/ssl_request_log" on the Moodle server and we'll see periodic entries like this.
  [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  [11/Apr/2014:11:39:32 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  [11/Apr/2014:11:39:33 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  [11/Apr/2014:11:39:33 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  [11/Apr/2014:11:39:33 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  [11/Apr/2014:11:39:33 -0400] 155.47.38.8 TLSv1 AES128-SHA "GET /login/index.php HTTP/1.1" 484
  Some systems have logged a quarter of a million requests per day so it is really kicking the server's butt!
  What is even crazier is I found a professor who's computer was actively hitting the server like this and I checked his computer and he did not have any Moodle or CAS server windows or tabs open. I went through his cookies and deleted any that were related to those system and the https requests continued. Once I closed out of Safari completely the requests stopped but here is where it got even crazier, when I brought up Safari again the requests started up again and the Safari window was not even pointing to the Moodle server, it was to his default web page (Google). It makes zero sense to me.
  Almost all of our students and faculty have Macs so it is causing a mini denial of service attack. We haven't seen any issues with Chrome or Firefox.
  Any thoughts?

  You would have to instruct your users to exclude the site from their Top Sites.
  You can permanently exclude a site from your Top Sites. From the Safari menu bar, select
  History ▹ Show Top Sites
  The Top Sites window will open. Position the cursor over the preview of the site you want to exclude. After a moment, an X icon and a pushpin icon will appear in the upper left corner of the preview. Click the X icon.
  The only way to reverse this action is to reset Top Sites. To do that, select
  Safari ▹ Reset Safari...
  In the dialog that opens, check the box marked
  Reset Top Sites
  and uncheck all other boxes. Then click the Reset button. This action will remove all Top Sites and all exclusions.

• IPS: relationship between signatures and network service

  Hello,
  Does anybody know if there is documentation regarding the recommended signatures to be activated depending of the network service being deployed?
  Let's say that I have several servers behind a firewall, therefore, in theory I would only need to activate in my IPS the signatures related to those services, for example, ftp, https, aaa, etc...

  Hi there,
  Depending on IPS, you should be able to disable signatures for Solaris, OSX, Windows, Linux if you are not using them in your network. The trick is getting the vendor to admit how many signatures the device can handle. They will almost always lye to you.
  Also if you but sensors in front and behind your firewalls. You will see which are getting through the firewall, That then need to be install on the IPS to protect against.. if you add a 3rd sensor in back of the IPS. you can see how many made it past all your defenses
  Let me know if that helps a little.
  ~TS