To configure flood mitigation
  1. In the console tree of ISA Server Management, click General.

  2. In the details pane, click Configure Flood Mitigation Settings.

  3. On the Flood Mitigation tab, configure the following options:

    • Select Mitigate flood attacks and worm propagation to enable flood mitigation. This is selected by default.
    • For each type of potential attack, click Edit to configure the mitigation settings.
    • Select Log traffic blocked by flood mitigation settings if you want to log the blocked traffic. This is selected by default.
  4. On the IP Exceptions tab, click Add to add network elements to which you want to apply a custom limit.

Optimizing logging in case of attack

Each time a flood mitigation limit is exceeded, ISA Server generates an alert, indicating the IP address of the offending client. After you identify the list of offending IP addresses, to prevent unnecessary logging, perform the following procedure. This helps improve ISA Server performance during a flood.

To improve ISA Server performance during a flood
  1. Disable logging either on the specific rule that matches the flood or altogether until the flood attack is stopped.

  2. Reconfigure the Connections Limit alerts (or any other types of alerts that may be triggered repeatedly as a result of the specific attack) to Manually Reset.

For more information about network protection in ISA Server, see Network Protection Concepts in ISA Server 2006 at the Microsoft ISA Server TechCenter Web site (http://www.microsoft.com).
To open ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, expand Configuration, and then click General.
For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, expand Configuration, and then click General.
An attacker may generate a flood attack by using spoofed IP addresses, which are included in the exception list. To mitigate this threat, we recommend that you deploy an Internet Protocol security (IPsec) policy between ISA Server and any trusted IP address included in the IP exception list. An IPSec policy will enforce that traffic from these IP addresses is authenticated, thereby effectively blocking spoofed traffic.
When you disable the log for denied log entries, you can identify only potential alerts.
In Enterprise Edition, custom limits that you configure for the flood mitigations apply to all array members. When counting connections, the count is incremented against the side of the connection that initially initiated the connection.