Overview of flood mitigation

Microsoft Forefront Threat Management Gateway can help you mitigate connection flooding attacks that are a prevalent corporate reality. A flood occurs when a malicious user attempts to attack a network in a variety of evolving ways. The goal of a flood attack is to deplete the victim's resources and disable its services. A flood also occurs when a worm attempts to propagate itself to other hosts. A flood attack may create any of the following conditions on the Forefront TMG computer:

  • Heavy use of disk space.
  • High CPU load.
  • High memory consumption.
  • High network bandwidth consumption.

The Forefront TMG flood mitigation features include various functions, which you can configure and monitor to help ensure that your network stays protected from malicious attacks. The flood mitigation mechanism uses the following:

  • Connection limits that are used to recognize and block malicious traffic.
  • Logging of flood mitigation events.
  • Alerts that are triggered when a connection limit is exceeded.

The default configuration settings for flood mitigation help ensure that Forefront TMG can continue to function, even under a flood attack. This is accomplished when Forefront TMG classifies the traffic and provides different levels of service to different types of traffic. Traffic that is considered malicious (with intent to cause a flood attack) can be denied, while Forefront TMG continues to serve all other traffic.

Forefront TMG uses connection counters and connection limits to identify and block traffic from clients that generate excessive traffic, protecting Forefront TMG from possible performance effects caused by the continual denial of connection requests that can be caused by flooding.

The Forefront TMG flood mitigation mechanism helps to identify various types of flood attacks, including the following.

  • Worm propagation. An infected host scans a network for vulnerable hosts by sending TCP connect requests to randomly selected IP addresses and a specific port. Resources are depleted at an accelerated rate if there are policy rules based on DNS names, which require a reverse DNS lookup for each IP address.
  • TCP flood attacks. An offending host establishes numerous TCP connections with a Forefront TMG server or victim servers protected by Forefront TMG. In some cases, the attacker sequentially opens and immediately closes many TCP connections in an attempt to elude the counters. This consumes a large amount of resources.
  • SYN attacks. An offending host attempts to flood Forefront TMG with half-open TCP connections by sending numerous TCP SYN messages to a Forefront TMG server and not completing the TCP handshake, leaving the TCP connections half-open.
  • HTTP denial-of-service (DoS) attacks. A single offending host or a small number of hosts send a huge number of HTTP requests to a Forefront TMG server. In some cases, the attacker sends HTTP requests at a high rate over a persistent (keep-alive) TCP connection. The Forefront TMG Web proxy needs to authenticate every request. This consumes a large amount of resources from Forefront TMG.
  • Non-TCP distributed denial-of-service (DDoS) attacks. A large number of offending hosts send requests to a Forefront TMG server. Although the total amount of traffic sent to the victim is enormous, the amount of traffic sent from each offending host can be small.
  • UDP flood attacks. An offending host opens numerous concurrent UDP sessions with a Forefront TMG server.

Connection Limits

Forefront TMG provides a quota mechanism that imposes connection limits for TCP and non-TCP traffic handled by the Microsoft Firewall service. Connection limits are applied to requests from internal client computers configured as SecureNAT clients, Firewall clients, and Web Proxy clients in forward proxy scenarios and to requests from external clients handled by Web publishing and server publishing rules in reverse proxy scenarios. The mechanism helps prevent flood attacks from specific IP addresses and helps administrators identify IP addresses that generate excessive traffic, which may be a symptom of a worm or other malware infection.

A connection limit policy can be configured for an array or a standalone Forefront TMG server. A connection limit policy includes the following categories of connection limits.

  • Connection limits that establish how many TCP connect requests and HTTP requests are allowed from a single IP address that is not included in the list of IP address exceptions during one minute.

  • Connection limits that establish how many concurrent transport-layer protocol connections may be accepted from a single IP address that is not included in the list of IP address exceptions. These include connection limits for TCP connections, for UDP sessions, and for ICMP and other raw IP connections.

  • Custom connection limits that establish how many connect requests and how many concurrent transport-layer protocol connections may be accepted from a single special IP address that is included in the list of IP address exceptions. IP address exceptions might include published servers, chained proxy servers, and network address translation (NAT) devices (routers), which would require many more connections than most other IP addresses. Custom connection limits are applied to TCP connections, to UDP sessions, and to ICMP and other raw IP connections.

    Important

    An attacker may generate a flood attack by using spoofed IP addresses that are included in the exception list. To mitigate this threat, we recommend that you deploy an Internet Protocol security (IPsec) policy between Forefront TMG and any trusted IP address included in the list of IP address exceptions. An IPsec policy requires that traffic from these IP addresses is authenticated, thereby helping to effectively block spoofed traffic. 

  • A connection limit that restricts the total number of UDP, ICMP, and other raw IP connections that may be created for a single server publishing or access rule during one second.

When the TCP connection limit for an IP address is reached, no additional TCP connections are allowed for the IP address.

The UDP connection limit applies to sessions, rather than to connections. When the UDP connection limit for an IP address is reached and an attempt is made to create an additional UDP session from that IP address, the oldest UDP session that was created from the applicable IP address is closed, and the new session is established.

When the limit that restricts the number of connections created for a single rule during the current second is reached, no new connections will be created for traffic that has no connection associated with it, the packets will be dropped, and Forefront TMG will generate an event that can trigger a "Connection Limit for a Rule Exceeded" alert. After the current second passes, the counter is reset, and new connections can be created during the next second until the limit is reached again.

Only connection attempts that are allowed by the firewall policy are counted for the connection limits described above. Forefront TMG maintains a separate counter for connection attempts that are denied by the firewall policy for each source IP address. When the number of denied TCP and non-TCP packets from a single IP address during one minute is exceeded, an event that can trigger a "Denied Connections per Minute from One IP Address Limit Exceeded" alert is generated. After the current minute passes, the counter is reset, and the event is generated again when the limit is reached again. However, by default, the alert is not issued again until it is reset.

Additional connection limits for traffic handled by the Web Proxy Filter can be configured in the properties of each Web listener and in the Web Proxy properties of each network from which outgoing Web requests can be sent.

When you specify a connection limit on a Web listener, you limit the number of connections allowed to Web sites published using the specific Web listener. Web listeners are used in Web publishing rules, and one Web listener may be used in multiple rules.

When you specify a connection limit in the Web proxy properties of a specific network, you limit the number of concurrent outgoing Web connections that are allowed from the network on port 80 at any specific time.

In addition to flood attack and worm propagation mitigation, you can also limit the number of Web proxy connections allowed simultaneously to the Forefront TMG server to control allocation of the system's resources. This is particularly useful when publishing Web servers. Using connection limits, you can limit the number of computers that connect, while allowing specific clients to continue connecting even when the limit is surpassed.

Mitigating internal worm propagation

You can understand how connection limits can mitigate attacks by considering a scenario in which several computers on the corporate network become infected with a worm. These computers attempt to propagate the worm across the network. In doing so, each infected host produces a high rate of TCP connect requests to a specific port and random IP addresses as it tries to find other vulnerable computers to infect.

Meanwhile, Forefront TMG monitors the number of TCP connect requests received from each source IP address during each minute and raises alerts about several specific IP addresses, each belonging to an infected host. Each alert is generated because the infected host exceeded the configured limit of allowed TCP connect requests during one minute. From this point, Forefront TMG blocks traffic from each offending host during the remainder of the current minute. When the current minute ends, the counter for each IP address is reset, and Forefront TMG again allows traffic from that IP address. If the connection limit for the same host is exceeded again, traffic is blocked again, and if you manually reset the alert, the alert is triggered again.

Only connection attempts that are allowed by the firewall policy are counted when triggering this alert. If a connection attempt is denied by the firewall policy, Forefront TMG counts the failed connection separately.

A built-in Forefront TMG logging mechanism limits the system resources consumed by logging flood traffic by issuing an alert when a threshold is exceeded by a specific source IP address. This same mechanism also limits the total records logged per minute for traffic that is blocked by Forefront TMG policy. Forefront TMG logs the denied requests until there are no longer resources available for logging flood traffic. At this point, Forefront TMG stops logging denied packets.

If the IP address belongs to a user who is not intentionally launching a malicious attack, the user might call the help desk, complaining of loss of connectivity to the Internet. The help desk engineer reviews the Forefront TMG alerts and notes that the user’s host violated the flooding policy. When the computer is checked, a worm is found on the computer. After the worm is removed from the host computer, the host no longer floods Forefront TMG with requests. Traffic from the host is no longer limited, and the user can access the Internet.

Configuring Flood Mitigation

The following table lists the flood mitigation settings on the Flood Mitigation page in Forefront TMG Management.

Setting in Forefront TMG Management Description

Mitigate flood attacks and worm propagation

Specifies that the Forefront TMG flood mitigation mechanism is enabled.

Maximum TCP connect requests per minute per IP address

Mitigates TCP flood attacks by blocking requests from an IP address from which more than the specified number of TCP connect requests arrive during the current minute. The default limit is 600, and the default custom limit is 6,000.

Maximum concurrent TCP connections per IP address

Mitigates TCP flood attacks by blocking requests from an IP address with which more than the specified number of TCP connections exist. The default limit is 160, and the default custom limit is 400.

Maximum half-open TCP connections

Mitigates SYN attacks by blocking requests from an IP address with which more than the specified number of half-open TCP connections exist. This limit is automatically calculated as half of the value of the Maximum concurrent TCP connections per IP address.

Maximum HTTP requests per minute per IP address

Mitigates HTTP denial-of-service (DoS) attacks by blocking requests from an IP address from which more than the specified number of HTTP requests arrive during the current minute. The default limit is 600, and the default custom limit is 6,000.

Maximum new non-TCP sessions per minute per rule

Mitigates non-TCP distributed denial-of-service (DDoS) attacks by blocking requests allowed by a specific rule when more than the specified number of non-TCP sessions allowed by the rule are created during the current second. The default limit is 1,000. No custom limit can be configured.

Maximum concurrent UDP sessions per IP address

Mitigates UDP flood attacks by blocking requests from an IP address with which more than the specified number of UDP sessions exist. The default limit is 160, and the default custom limit is 400.

Specify how many denied packets trigger an alert

Specifies the number of logged denied packets from a single IP address during one minute that will trigger an alert. The default number is 600. No custom limit can be configured.

Log traffic blocked by flood mitigation settings

Specifies that a log entry will be generated for each request that is blocked by the flood mitigation mechanism.In general, we recommend that you enable this option. In case of a flood attack, however, after you identify the list of offending IP addresses, disable this option to prevent high resource consumption.

IP Exceptions

Computer sets to which the custom limits are applied.

Logging flood mitigation activity

Logging of traffic blocked by flood mitigation can be enabled. When logging is enabled, a log entry is generated for each request that is blocked by the flood mitigation mechanism.

The following table shows the error code returned by the Microsoft Firewall service that may appear in the Firewall log when you enable logging for blocked traffic.

Result code Hexidecimal code Details

WSA_RWS_QUOTA or FWX_E_RULE_QUOTA_EXCEEDED_DROPPED

0x80074E23

A connection was rejected because the connection limit specifying the maximum number of connections that can be created for a rule during one second was exceeded.

FWX_E_RULE_QUOTA_EXCEEDED_DROPPED

0xC0040033

A connection was rejected because the connection limit specifying the maximum number of connections that can be created for a rule during one second was exceeded.

FWX_E_TCP_RATE_QUOTA_EXCEEDED_DROPPED

0xC0040037

A connection was rejected because the connection limit specifying the maximum number of concurrent connections for a single client host was exceeded.

FWX_E_DNS_QUOTA_EXCEEDED

0xC0040036

A DNS query could not be performed because the query limit was reached.

Flood mitigation alerts

The following table lists all the possible alerts that might be issued in case of a flood attack.

Alert title Event description

Concurrent TCP Connections from One IP Address Limit Exceeded

The number of concurrent TCP connections allowed from one IP address was exceeded.

Connection Limit Exceeded

An IP address exceeded its connection limit.

Connection Limit for a Rule was Exceeded

The number of connections per second allowed for a rule was exceeded.

Denied Connections per Minute from One IP Address Limit Exceeded

The number of connections per minute from one IP address blocked by the firewall policy exceeded the configured limit.

Global denied packets rate limit

The number of denied TCP and non-TCP sessions per second exceeded the allowed limit.

HTTP Requests from One IP Address Limit Exceeded

The number of HTTP requests per minute from one IP address exceeds the configured limit.

Low Non-Paged Pool

The size of the free non-paged pool fell below the system-defined minimum.

Low Non-Paged Pool Recovered

The size of the free non-paged pool exceeded the system-defined minimum.

Non-TCP Sessions from One IP Address Limit Exceeded

The number of non-TCP sessions allowed from one IP address was exceeded.

Pending DNS Requests Resource Usage Limit Exceeded

The percentage of threads used for pending DNS requests out of the total number of available threads exceeded the system-defined maximum.

Pending DNS Requests Resource Usage Limit within Limits

The percentage of threads used for pending DNS requests out of the total number of available threads is back below the system-defined maximum, and connections that require DNS name resolution can be accepted.

SYN Attack

Forefront TMG detected a SYN attack.

TCP Connections per Minute from One IP Address Limit Exceeded

The number of TCP connections per minute allowed from one IP address was exceeded.

Flood mitigation events

The following table lists some events that Forefront TMG generates when a flood mitigation connection limit is exceeded. These events are displayed in Windows Event Viewer.

Event ID Message

15112

A new connection initiated from SourceIpAddress was rejected because the connection limit for this IP address was exceeded. Larger custom connection limits should be configured for the IP addresses of chained proxy servers and back-to-back Forefront TMG computers with a NAT relationship.

15113

Forefront TMG disconnected a non-TCP connection from SourceIpAddress because the connection limit for this IP address was exceeded. Larger custom connection limits should be configured for the IP addresses of chained proxy servers and back-to-back Forefront TMG computers with a NAT relationship.

15114

Forefront TMG disconnected a connection because a connection limit was exceeded. Larger custom connection limits should be configured for the IP addresses of chained proxy servers and back-to-back Forefront TMG computers with a NAT relationship.

15116

The request was denied because the number of connections per second allowed for a rule was exceeded.

15117

The request was denied because the number of connections per second allowed for the RuleName rule was exceeded.

15120

The number of concurrent TCP connections from the source IP address SourceIpAddress exceeded the configured limit. As a result, Forefront TMG will not allow the creation of new TCP connections from this source IP. This IP address probably belongs to an attacker or an infected host.

21279

The number of pending DNS name resolution requests exceeds the system-defined maximum. Forefront TMG will reject new connections that require Forefront TMG to send a DNS name resolution request. This event may indicate a flood attack or worm propagation to random IP addresses when there is a policy rule that restricts access to one or more destinations specified by domain names.

21284

The number of denied connections from the source IP address IpAddress exceeded the configured limit. This may indicate that the host is infected or is attempting an attack on the Forefront TMG computer.