Tags

,


This topic describes how to protect your system from flood attacks. Flood attacks are attempts by malicious users to attack a network, by a HTTP denial of service attack, SYN attack, worm propagation, or any other means that could deplete the victim’s resources, or disable its services.

While the default configuration settings for flood mitigation help ensure that Forefront TMG can continue to function under a flood attack, there are some actions you can take during an attack that can further mitigate its effect. For more information about detecting and mitigating flood attacks, as well as other custom settings that may be appropriate for your deployment.

Forefront TMG provides a flood mitigation mechanism that uses the following:

  • Connection limits that are used to identify and block malicious traffic.
  • Logging of flood mitigation events.
  • Alerts that are triggered when a connection limit is exceeded.
  1. In the Forefront TMG Management console, in the tree, click the Intrusion Prevention System node, and then click the Behavioral Intrusion Detection tab.
  2. In the details pane, click Configure Flood Mitigation Settings.
  3. On the Flood Mitigation tab, verify that Mitigate flood attacks and worm propagation is selected. This option is selected by default.
  4. To modify the settings for each connection limit, click Edit. The following table lists the default values.

     

    Connection limit setting Default values
    Maximum TCP connect requests per minute per IP address 600 (custom: 6,000)
    Maximum concurrent TCP connections per IP address 160 (custom: 400)
    Maximum half-open TCP connections (non-configurable) 80
    Maximum HTTP requests per minute per IP address 600 (custom: 6,000)
    Maximum new non-TCP sessions per minute per rule 1,000
    Maximum concurrent UDP sessions per IP address 160 (custom: 400)
    Specify how many denied packets trigger an alert 600
  5. To log blocked traffic, ensure that Log traffic blocked by flood mitigation settings is selected. This option is selected by default.
  6. On the IP Exceptions tab, click Add to add the network objects to which you want to apply the custom limits.

Overview of flood mitigation

        1 out of 1 rated this helpful Rate this topic
 

Microsoft Forefront Threat Management Gateway can help you mitigate connection flooding attacks that are a prevalent corporate reality. A flood occurs when a malicious user attempts to attack a network in a variety of evolving ways. The goal of a flood attack is to deplete the victim’s resources and disable its services. A flood also occurs when a worm attempts to propagate itself to other hosts. A flood attack may create any of the following conditions on the Forefront TMG computer:

  •         Heavy use of disk space.
  •         High CPU load.
  •         High memory consumption.
  •         High network bandwidth consumption.

The Forefront TMG flood mitigation features include various functions, which you can configure and monitor to help ensure that your network stays protected from malicious attacks. The flood mitigation mechanism uses the following:

  •         Connection limits that are used to recognize and block malicious traffic.
  •         Logging of flood mitigation events.
  •         Alerts that are triggered when a connection limit is exceeded.

The default configuration settings for flood mitigation help ensure that Forefront TMG can continue to function, even under a flood attack. This is accomplished when Forefront TMG classifies the traffic and provides different levels of service to different types of traffic. Traffic that is considered malicious (with intent to cause a flood attack) can be denied, while Forefront TMG continues to serve all other traffic.

Forefront TMG uses connection counters and connection limits to identify and block traffic from clients that generate excessive traffic, protecting Forefront TMG from possible performance effects caused by the continual denial of connection requests that can be caused by flooding.

The Forefront TMG flood mitigation mechanism helps to identify various types of flood attacks, including the following.

  • Worm propagation. An infected host scans a network for vulnerable hosts by sending TCP connect requests to randomly selected IP addresses and a specific port. Resources are depleted at an accelerated rate if there are policy rules based on DNS names, which require a reverse DNS lookup for each IP address.
  • TCP flood attacks. An offending host establishes numerous TCP connections with a Forefront TMG server or victim servers protected by Forefront TMG. In some cases, the attacker sequentially opens and immediately closes many TCP connections in an attempt to elude the counters. This consumes a large amount of resources.
  • SYN attacks. An offending host attempts to flood Forefront TMG with half-open TCP connections by sending numerous TCP SYN messages to a Forefront TMG server and not completing the TCP handshake, leaving the TCP connections half-open.
  • HTTP denial-of-service (DoS) attacks. A single offending host or a small number of hosts send a huge number of HTTP requests to a Forefront TMG server. In some cases, the attacker sends HTTP requests at a high rate over a persistent (keep-alive) TCP connection. The Forefront TMG Web proxy needs to authenticate every request. This consumes a large amount of resources from Forefront TMG.
  • Non-TCP distributed denial-of-service (DDoS) attacks. A large number of offending hosts send requests to a Forefront TMG server. Although the total amount of traffic sent to the victim is enormous, the amount of traffic sent from each offending host can be small.
  • UDP flood attacks. An offending host opens numerous concurrent UDP sessions with a Forefront TMG server.

configure_flood_mitigation

Too often I see administrators disable flood mitigation altogether.  This is strongly discouraged.  I also see administrators raise connection limits for ALL hosts by clicking on the ‘Edit

Flood Mitigation

Advertisements