Apr 152010
 

Lately I received a couple of questions asking if I could explain a bit more about the Flood Mitigation settings within Microsoft ISA Server 2006. Before we start, you should know that pretty much the same settings are also available in Microsoft Forefront Thread Management Gateway or TMG. I’m not going to tell you exactly how you should configure it since you need to find your own balance. Rather, I’m going to tell you what the settings mean. I think it’s more important to understand what they do then giving you some numbers. 🙂

So let’s start of with a screenshot from Microsoft ISA Server 2006 Flood Mitigation settings:

Flood Mitigation

This is the page which can help you in preventing DoS attacks, SYN attacks or different kinds of flood attacks.  So adjusting those options should be done with care. For example: when you configure the settings to be more relaxed and allow a large amount of connections, it could potentially cause the ISA server to get overloaded with high CPU, disk, memory or network usage and slow to a crawl. On the other hand, if you configure it to be strict and not allow very many connections the ISA server will reject new connection requests for a certain IP. After one minute, ISA Server resets the quota for this IP address and the traffic is no longer blocked. If the client again exceeds the quota, the ISA Server once again blocks the traffic for one minute.

So finding the correct balance is probably the thing to do. Personally, I would recommend that you use the default settings first. When certain IP addresses are exceeding the default values, begin by investigating why this is happening. If it’s a legitimate reason, you can add that IP address to the IP Exceptions tab. For example, in my experience with some clients I’ve noticed that Citrix can generate a high number of HTTP connections per minute. In those cases, I add the Citrix servers to the IP Exceptions list. For one client, I used this list to raise the default connection limit from 600 to 6,000 HTTP connections per minute which was enough.

Of course Microsoft has posted an excellent article about this. The table below, which I copied from the article, tells a lot about the settings. Actually, I think it tells all you need to know. 🙂

ISA Server mitigation Defaults
TCP connect requests per minute, per IP address. ISA Server mitigates flood attacks that occur when an attacking IP address sends numerous TCP connect requests. ISA Server also protects against worm propagations that occur when an infected host scans the network for vulnerable hosts. By default, ISA Server limits the number of TCP requests per client to 600 per minute.You can configure custom limit exceptions for specific IP addresses. By default, this limit is set to 6,000 requests per minute.
TCP concurrent connections per IP address. ISA Server mitigates a TCP flood attack that occurs when an offending host maintains numerous TCP connections with ISA Server or other servers. By default, ISA Server limits the number of TCP concurrent connections per client to 160. You can configure custom limit exceptions for specific IP addresses. By default, this limit is set to 400 concurrent connections per client.
TCP half-open connections. ISA Server mitigates SYN attacks. In a SYN attack, an offending host sends TCP SYN messages without completing the TCP handshake. By default, ISA Server limits the number of concurrent half-open TCP connections to half the number of concurrent connections configured for concurrent TCP connections. You cannot change this default.
HTTP requests per minute, per IP address. ISA Server mitigates DoS attacks. In a DoS attack, an offending host sends numerous HTTP requests on the same TCP connection to victim Web sites. By default, ISA Server limits the number of HTTP requests per client to 600 per minute. You can configure custom limit exceptions for specific IP addresses. By default, this limit is set to 6,000 requests per minute.
Non-TCP new sessions per minute, per rule. ISA Server mitigates non-TCP DoS attacks. In a non-TCP DoS attack, malicious hosts send numerous non-TCP packets to a victim server. The specific non-TCP traffic is allowed by an ISA Server rule. By default, ISA Server limits the number of non-TCP sessions per minute to 1,000, for the specific protocol (rule).
UDP concurrent sessions per IP address. ISA Server mitigates UDP flood attacks. In a UDP flood attack, an offending host sends numerous UDP messages to victim hosts.When a UDP flood attack occurs, ISA Server discards older sessions, so that no more than the specified number of connections is allowed concurrently. By default, ISA Server limits the number of concurrent UDP sessions per IP address to 160.You can configure custom limit exceptions for specific IP addresses. By default, this limit is set to 400 sessions per client.