This topic describes how to protect your system from flood attacks. Flood attacks are attempts by malicious users to attack a network, by a HTTP denial of service attack, SYN attack, worm propagation, or any other means that could deplete the victim's resources, or disable its services.
While the default configuration settings for flood mitigation help ensure that Forefront TMG can continue to function under a flood attack, there are some actions you can take during an attack that can further mitigate its effect. For more information about detecting and mitigating flood attacks, as well as other custom settings that may be appropriate for your deployment, see Planning to protect against denial of service flood attacks.
Forefront TMG provides a flood mitigation mechanism that uses the following:
- Connection limits that are used to identify
and block malicious traffic.
- Logging of flood mitigation events.
- Alerts that are triggered when a connection
limit is exceeded.
To configure flood mitigation
-
In the Forefront TMG Management console, in the tree, click the Intrusion Prevention System node, and then click the Behavioral Intrusion Detection tab.
-
In the details pane, click Configure Flood Mitigation Settings.
-
On the Flood Mitigation tab, verify that Mitigate flood attacks and worm propagation is selected. This option is selected by default.
-
To modify the settings for each connection limit, click Edit. The following table lists the default values.
Connection limit setting Default values Maximum TCP connect requests per minute per IP address
600 (custom: 6,000)
Maximum concurrent TCP connections per IP address
160 (custom: 400)
Maximum half-open TCP connections (non-configurable)
80
Maximum HTTP requests per minute per IP address
600 (custom: 6,000)
Maximum new non-TCP sessions per minute per rule
1,000
Maximum concurrent UDP sessions per IP address
160 (custom: 400)
Specify how many denied packets trigger an alert
600
-
To log blocked traffic, ensure that Log traffic blocked by flood mitigation settings is selected. This option is selected by default.
-
On the IP Exceptions tab, click Add to add the network objects to which you want to apply the custom limits.
Related Topics
Copyright © 2009 by Microsoft Corporation. All rights reserved.