|This topic provides an overview of how to protect against denial of service flood attacks in Forefront TMG. For detailed information and the most up-to-date documentation, please see the Forefront TMG TechNet Library (http://go.microsoft.com/fwlink/?LinkID=131702).|
Denial of service (DoS) flood attacks are attempts by a malicious (or unwitting) user, process, or system, to prevent legitimate users from accessing a resource (usually a network service), by flooding network connections.
The following sections provide information that can help you plan to protect against DoS flood attacks on your network with Forefront TMG:
About Forefront TMG flood mitigation
The Forefront TMG flood mitigation mechanism uses:
- Connection limits that are used to identify
and block malicious traffic.
- Logging of flood mitigation events.
- Alerts that are triggered when a connection
limit is exceeded.
The default configuration settings for flood mitigation help ensure that Forefront TMG continues to function under a flood attack. Forefront TMG classifies the traffic and provides different levels of service to different types of traffic. Traffic that is considered malicious (with intent to cause a flood attack) can be denied, while Forefront TMG continues to serve all other traffic.
The Forefront TMG flood mitigation mechanism helps to identify various types of flood attacks, including the following:
- Worm propagation—An infected host scans a
network for vulnerable hosts by sending TCP connect requests to
randomly selected IP addresses and a specific port. Resources are
depleted at an accelerated rate, if there are policy rules based on
Domain Name system (DNS) names, which require a reverse DNS lookup
for each IP address.
- TCP flood attacks—An offending host
establishes numerous TCP connections with a Forefront TMG server or
victim servers, protected by Forefront TMG. In some cases, the
attacker sequentially opens and immediately closes many TCP
connections, in an attempt to elude the counters. This consumes a
large amount of resources.
- SYN attacks—An offending host attempts to
flood Forefront TMG with half-open TCP connections by sending
numerous TCP SYN messages to a Forefront TMG server without
completing the TCP handshake, leaving the TCP connections
- HTTP denial of service attacks—A single
offending host or a small number of hosts send a huge number of
HTTP requests to a Forefront TMG server. In some cases, the
attacker sends HTTP requests at a high rate over a persistent
(keep-alive) TCP connection. Because the Forefront TMG Web proxy
authenticates every request, this consumes a large amount of
resources from Forefront TMG.
- Non-TCP distributed denial of service (DDoS)
attacks—A large number of offending hosts send requests to a
Forefront TMG server. Although the total amount of traffic sent to
the victim is enormous, the amount of traffic sent from each
offending host can be small.
- UDP flood attacks—An offending host opens
numerous concurrent UDP sessions with a Forefront TMG server.
Forefront TMG provides a quota mechanism that imposes connection limits for TCP, and non-TCP traffic, handled by the Microsoft Firewall service. Connection limits are applied to requests from internal client computers configured as SecureNAT clients, Firewall clients, Web Proxy clients in forward proxy scenarios, and to requests from external clients handled by Web publishing and server publishing rules in reverse proxy scenarios. The mechanism helps prevent flood attacks from specific IP addresses, and helps administrators identify IP addresses that generate excessive traffic, which might be a symptom of a worm or other malware infection.
A connection limit policy can be configured for an array or a standalone Forefront TMG server. A connection limit policy includes the following categories of connection limits:
- Connection limits, that establish how many
TCP connect requests and HTTP requests are allowed from a single IP
address, that is not included in the list of IP address exceptions
during one minute.
- Connection limits, that establish how many
concurrent transport-layer protocol connections may be accepted
from a single IP address, that is not included in the list of IP
address exceptions. These include connection limits for TCP
connections, UDP sessions, and ICMP and other raw IP
- Custom connection limits, that establish how
many connect requests and how many concurrent transport-layer
protocol connections may be accepted from a single special IP
address, that is included in the list of IP address exceptions. IP
address exceptions might include published servers, chained proxy
servers, and network address translation (NAT) devices (routers),
which would require many more connections than most other IP
addresses. Custom connection limits are applied to TCP connections,
UDP sessions, and ICMP and other raw IP connections.
Important: An attacker may generate a flood attack by using spoofed IP addresses that are included in the exception list. To mitigate this threat, it is recommended that you deploy an Internet Protocol security (IPsec) policy between Forefront TMG, and any trusted IP address included in the list of IP address exceptions. An IPsec policy requires that traffic from these IP addresses is authenticated, thereby helping to effectively block spoofed traffic.
- A connection limit that restricts the total
number of UDP, ICMP, and other raw IP connections that may be
created for a single server publishing, or access rule, during one
When configuring a connection limit policy, consider the following:
- When the TCP connection limit for an IP
address is reached, no additional TCP connections are allowed for
the IP address.
- The UDP connection limit applies to sessions,
rather than to connections. When the UDP connection limit for an IP
address is reached, and an attempt is made to create an additional
UDP session from that IP address, the oldest UDP session that was
created from the applicable IP address is closed, and the new
session is established.
- When the limit that restricts the number of
connections that are created for a single rule during the current
second is reached, no new connections are created for traffic that
has no connection associated with it, the packets are dropped, and
Forefront TMG generates an event that can trigger a "Connection
Limit for a Rule Exceeded" alert. After the current second passes,
the counter is reset, and new connections can be created during the
next second until the limit is reached again.
- Only connection attempts that are allowed by
the firewall policy are counted for the connection limits described
above. Forefront TMG maintains a separate counter for connection
attempts that are denied by the firewall policy, for each source IP
address. When the number of denied TCP and non-TCP packets from a
single IP address during one minute is exceeded, an event that can
trigger a "Denied Connections per Minute from One IP Address Limit
Exceeded" alert is generated. After the current minute passes, the
counter is reset, and the event is generated again when the limit
is reached again. However, by default, the alert is not issued
again until it is reset.
- Additional connection limits for traffic
handled by the Web Proxy Filter can be configured in the properties
of each Web listener, and in the Web Proxy properties of each
network from which outgoing Web requests can be sent.
- When you specify a connection limit on a Web
listener, you limit the number of connections allowed to Web sites
published using the specific Web listener. Web listeners are used
in Web publishing rules, and one Web listener may be used in
- When you specify a connection limit in the
Web proxy properties of a specific network, you limit the number of
concurrent outgoing Web connections that are allowed from the
network on port 80 at any specific time.
- In addition to flood attack and worm
propagation mitigation, you can also limit the number of Web proxy
connections allowed simultaneously to the Forefront TMG server to
control allocation of the system's resources. This is particularly
useful when publishing Web servers. Using connection limits, you
can limit the number of computers that connect, while allowing
specific clients to continue connecting even when the limit is