Setting flood mitigation connection limits

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This topic describes how to protect your system from flood attacks. Flood attacks are attempts by malicious users to attack a network, by a HTTP denial of service attack, SYN attack, worm propagation, or any other means that could deplete the victim's resources, or disable its services.

While the default configuration settings for flood mitigation help ensure that Forefront TMG can continue to function under a flood attack, there are some actions you can take during an attack that can further mitigate its effect. For more information about detecting and mitigating flood attacks, as well as other custom settings that may be appropriate for your deployment, see Planning to protect against denial of service flood attacks.

Forefront TMG provides a flood mitigation mechanism that uses the following:

  • Connection limits that are used to identify and block malicious traffic.

  • Logging of flood mitigation events.

  • Alerts that are triggered when a connection limit is exceeded.

To configure flood mitigation

  1. In the Forefront TMG Management console, in the tree, click the Intrusion Prevention System node, and then click the Behavioral Intrusion Detection tab.

  2. In the details pane, click Configure Flood Mitigation Settings.

  3. On the Flood Mitigation tab, verify that Mitigate flood attacks and worm propagation is selected. This option is selected by default.

  4. To modify the settings for each connection limit, click Edit. The following table lists the default values.

    Connection limit setting Default values

    Maximum TCP connect requests per minute per IP address

    600 (custom: 6,000)

    Maximum concurrent TCP connections per IP address

    160 (custom: 400)

    Maximum half-open TCP connections (non-configurable)

    80

    Maximum HTTP requests per minute per IP address

    600 (custom: 6,000)

    Maximum new non-TCP sessions per minute per rule

    1,000

    Maximum concurrent UDP sessions per IP address

    160 (custom: 400)

    Specify how many denied packets trigger an alert

    600

  5. To log blocked traffic, ensure that Log traffic blocked by flood mitigation settings is selected. This option is selected by default.

  6. On the IP Exceptions tab, click Add to add the network objects to which you want to apply the custom limits.

Concepts

Configuring protection from network attacks
Planning to protect against denial of service flood attacks