Configuring flood mitigation
Microsoft Forefront Threat Management Gateway provides a flood mitigation mechanism that uses the following:
- Connection limits that are used to identify and block malicious traffic
- Logging of flood mitigation events
- Alerts that are triggered when a connection limit is exceeded
For more information about flood mitigation, see Overview of flood mitigation.
To configure flood mitigation
In the Forefront TMG Management console tree, click Firewall Policy.
On the Tasks tab, click Configure Flood Mitigation.
On the Flood Mitigation tab, configure the following options:
To enable flood mitigation, ensure that Mitigate flood attacks and worm propagation is selected. This option is selected by default.
You can configure the settings for each connection limit by clicking Edit. The following table lists the default values.
Connection limit setting Default values Maximum TCP connect requests per minute per IP address
600 (custom: 6,000)
Maximum concurrent TCP connections per IP address
160 (custom: 400)
Maximum half-open TCP connections (non-configurable)
80
Maximum HTTP requests per minute per IP address
600 (custom: 6,000)
Maximum new non-TCP sessions per minute per rule
1,000
Maximum concurrent UDP sessions per IP address
160 (custom: 400)
Specify how many denied packets trigger an alert
600
To log blocked traffic, ensure that Log traffic blocked by flood mitigation settings is selected. This option is selected by default.
On the IP Exceptions tab, click Add to add network objects to which you want to apply the custom limits.
Optimizing logging in case of attack
Each time that a connection limit is exceeded, Forefront TMG generates an alert indicating the IP address of the offending client. After you identify the list of offending IP addresses, perform the following procedure to prevent unnecessary logging. This helps improve Forefront TMG performance during a flood attack.
To improve performance during a flood attack
Disable logging either on the specific rule that matches the flood or altogether until the flood attack is stopped.
To reconfigure the Connection Limit Exceeded and Connection Limit for a Rule Exceeded alerts (or any other alerts that may be triggered repeatedly as a result of the specific attack) so they are not triggered repeatedly, select Only if the alert was manually reset.