ISA Server 2006 Flood Mitigation

by [Published on 12 Feb. 2008 / Last Updated on 20 May 2013]

How ISA Server 2006 Flood Mitigation protects against different attacks like SYN flooding, worms, and an unexpected large number of TCP and/or UDP connections.

Beginning with ISA Server 2000, Microsoft implemented some rudimentary anti-spoofing and intrusion detection features. ISA Server 2004 introduced more features to fight against intrusion detection attacks. ISA Server 2006 adds additional techniques to fight against spam. New technologies included are the Flood Mitigation settings that should help protect against threats. This article focuses on ISA Server 2006 Flood mitigation settings.


Get your copy of the German language "Microsoft ISA Server 2006 - Das Handbuch"

Threats and countermeasures

There are different threats in our world. The below table highlights some of these threats and also shows the relevant ISA Server 2006 feature that fights it.

Threat

Feature

Worms that flow from user to user and network to network

  • IP alert spoofing
  • Connection Quotas
  • Enhanced Flood Protection
  • Intrusion Detecion
  • Protection against Denial of Service (DoS) and Distributed Denial of Service attacks

An increasing number of attacks on externally facing resources

  • Possible attacks through DHCP poisioning, Intrusion Detection and IP Fragmentation can be configured easily, to protect the corporate network.

Protection against IP spoofing attacks

  • IP spoofing protection in ISA Server 2006. ISA Server 2006 protects against IP spoofing by checking the validity of the source IP address in the packet.

Table 1: Threats and features

Types of Attacks

To know how “Hackers” work, you need to know about the art of hacking and which types of attacks exist. The following table is an overview of some attack types.

Attack

Description

Internal worm attack over a TCP connection

Clients will be infected from the worm and they will distribute the worm over different ports to other computers on the network.

Connection table exploit

An attacker tries to fill the connection table with bad requests, so that ISA server cannot fullfill legitimate requests.

Sequential TCP connections during flood attack

An attacker tries to sequentially open and intermediately close many TCP connections to bypass the quota mechanism to consume a lot of ISA resources.

Hypertext Transfer Protocol (HTTP) DDoS using existing connections

An attacker sends an excessive amount of HTTP requests through an existing TCP connection which uses the Keep alive interval.

Table 2: Type of Attacks

Configuring Attack Mitigation Features

ISA Server 2006 includes some attack mitigation features which you can configure and monitor with the management console.

  • HTTP connection limits
  • Flood Attack and Worm propagation features
  • Limit the number of concurrent users
  • Protection against specific attacks like IP spoofing, DNS overflows, DHCP poisioning and intrusion detection

Flood Attack and Worm Propagation Mitigation

A flood attack is defined as an attack from a malicious user when this user tries to flood a machine or a network with garbage TCP packets. A flood attack may cause one of the following reactions:

  • Heavy disk load and resource consumption on the firewall
  • High CPU load
  • High memory consumption
  • High network bandwidth consumption

With ISA Server 2006 it is possible to set a maximum number of connections during a defined time period or a maximum number of connections for an IP address. When the number of maximum client requests has been reached, any new client requests are denied and connections are dropped.

The default configuration settings help to ensure that ISA Server can continue to function, even when ISA is under a flood attack.

Attack

ISA Mitigation

Defaults

Flood attack. A specific IP address tries to open many connections to many different IP addresses.

TCP connect requests per minute, per IP address.

By default, ISA Server limits the number of TCP requests per client to 600 per minute. Keep in mind that there are some legitimate applications that could create a high number of connection attempts.

Flood attack. A specific IP address tries to flood ISA Server by maintaining numerous TCP connections concurrently.

Concurrent TCP connections per IP address.

ISA Server limits the number of TCP concurrent connections per client to 160.

SYN attack. A malicious client tries to flood ISA Sever 2006 with a large amount of half-open TCP connections.

ISA Server mitigates SYN attacks.

ISA Server limits the number of concurrent half-open TCP connections to half the number of concurrent connections configured for concurrent TCP connections. This setting cannot be changed.

User Datagram Protocol (UDP) flood attack. A IP address tries to start a denial of service attack.

UDP concurrent sessions per IP address.

When a UDP flood attack occurs, ISA Server closes older sessions, so that no more than the specified number of connections is allowed concurrently.

ISA Server limits the number of concurrent UDP sessions per IP address to 160. This limit is configurable to 400 concurrent UDP sessions.

Table 3: ISA protection

Flood attack configuration

You can configure Flood Mitigation in the ISA Server 2006 Management console.

All ISA Server 2006 flood mitigation features and other techniques against DNS attacks can be found under the Configuration - General node.


Figure 1:
ISA Server Additional Security Policy

In the Configure Flood Mitigation Settings it is possible to enable protection against flood and worm propagation and blocked traffic logging.


Figure 2:
General flood mitigation settings

Many of the flood mitigation settings allow you to configure custom limits for specific IP addresses. You can then rest assured that these IP addresses are not compromised and the traffic is legitimate.


Figure 3:
Custom limits for IP exceptions

There are some settings like connection limits for TCP half-open connections for which you cannot set any exceptions.


Figure 4:
Connection settings without exceptions

IP exceptions

Not every attack is an real attack from a hacker or malicious user. There are some reasons for clients to create more connections at a time or IP address. After clarifying that the client has a legal reason for so much traffic and you are sure that ISA server has enough resources for additional connections, it is possible to create IP exceptions as shown in the following picture.


Figure 5:
Connection settings

Configure alerts

As an administrator you would like to know when flood attacks or spoofing attacks occur. ISA Server 2006 allows you to configure alert definitions to alert you via e-mail, event log and more.


Figure 6:
Configure alert definitions

It is possible to create a notification for several alerts like SYN attacks and over limit connections per second or per IP address.


Figure 7:
Configure alert definitions for high TCP connections per minute

Logging Flood Manipulation

ISA Server 2006 logs flood manipulation attempts, as you can see in the following table.

Result code

Hex ID

Details

WSA_RWS_QUOTA

0x80074E23

A connection was refused because a quota was exceeded.

FWX_E_RULE_QUOTA_EXCEEDED_DROPPED

0xC0040033

A connection was rejected because the maximum number of connections created per second for this rule was exceeded.

FWX_E_TCP_RATE_QUOTA_EXCEEDED_DROPPED

0xC0040037

A connection was rejected because the maximum connections rate for a single client host was exceeded.

FWX_E_DNS_QUOTA_EXCEEDED

0xC0040035

A DNS query could not be performed because the query limit was reached.

Table 4: ISA Flood Mitigation logging (Source: Microsoft)

Conclusion

Microsoft ISA Server 2006 introduces a new feature called Flood Mitigation. With the help of Flood Mitigation you can limit the number of current TCP and UDP sessions. This can help to limit the effects of attacks to ISA Server like SYN attacks, worm attacks and many more known attacks.

Related links

The Author — Marc Grote

Marc Grote avatar

Marc Grote is an MCSA/MCSE Messaging & Security, MCSE Private Cloud and Server Virtualization, an MCTS/MCITP and a Microsoft Certified Trainer and MCLC. He is a freelance Consultant and IT Trainer in the north of Germany near Hanover. He specializes in TMG/UAG Server, Exchange, System Center, Security for Windows Server 2012 and Windows Server 2012 designs, migrations and implementations. His efforts have earned him recognition as a Microsoft MVP for ISA Server since 2004.

Latest Contributions

Featured Links