Configuring flood mitigation

Microsoft Forefront Threat Management Gateway provides a flood mitigation mechanism that uses the following:

  • Connection limits that are used to identify and block malicious traffic
  • Logging of flood mitigation events
  • Alerts that are triggered when a connection limit is exceeded

For more information about flood mitigation, see Overview of flood mitigation.

  1. In the Forefront TMG Management console tree, click Firewall Policy.

  2. On the Tasks tab, click Configure Flood Mitigation.

  3. On the Flood Mitigation tab, configure the following options:

    • To enable flood mitigation, ensure that Mitigate flood attacks and worm propagation is selected. This option is selected by default.
    • You can configure the settings for each connection limit by clicking Edit. The following table lists the default values.

      Connection limit setting Default values

      Maximum TCP connect requests per minute per IP address

      600 (custom: 6,000)

      Maximum concurrent TCP connections per IP address

      160 (custom: 400)

      Maximum half-open TCP connections (non-configurable)


      Maximum HTTP requests per minute per IP address

      600 (custom: 6,000)

      Maximum new non-TCP sessions per minute per rule


      Maximum concurrent UDP sessions per IP address

      160 (custom: 400)

      Specify how many denied packets trigger an alert


    • To log blocked traffic, ensure that Log traffic blocked by flood mitigation settings is selected. This option is selected by default.
  4. On the IP Exceptions tab, click Add to add network objects to which you want to apply the custom limits.

Each time that a connection limit is exceeded, Forefront TMG generates an alert indicating the IP address of the offending client. After you identify the list of offending IP addresses, perform the following procedure to prevent unnecessary logging. This helps improve Forefront TMG performance during a flood attack.

  1. Disable logging either on the specific rule that matches the flood or altogether until the flood attack is stopped.

  2. To reconfigure the Connection Limit Exceeded and Connection Limit for a Rule Exceeded alerts (or any other alerts that may be triggered repeatedly as a result of the specific attack) so they are not triggered repeatedly, select Only if the alert was manually reset.