Configuring "Flooding Detected" alert parameters

Applies To: Forefront Client Security

You can configure the following parameters of flood protection:

  • Auto-approve pending computers—Indicates whether Client Security automatically approves computers that are on the Pending Computers list. When this parameter is set to true, Client Security checks the Pending Computers list once an hour and approves the computers on the list; however, when a "Flooding Detected" alert is triggered, Client Security changes the value of this parameter to false to prevent a flooding computer from being automatically approved. The default setting is true, which automatically approves pending computers.

    When you have resolved a "Flooding Detected" alert parameter, you must manually reset this parameter to true if you want Client Security to resume automatically approving pending computers.

  • Disconnect clients—Indicates whether a client exceeding the maximum number of events should be moved into the Pending Computers list, which disconnects the client from the MOM server. The default setting is to disconnect flooding computers.

  • Maximum allowed parameters per event—Controls the maximum number of parameters that an event message can contain before triggering the flood protection alert. This protects the MOM server from event messages maliciously designed to be too large. The default value for this parameter is 40 parameters per event.

  • Maximum events per computer in OPDB—Controls the number of event messages from a single client (within the past four days) that will trigger the flood protection alert. The default value for this parameter is 5,000 events per computer.

It is recommended that you use the default parameters for disconnecting clients, maximum parameters per event, and maximum events per computer; however, consider changing the default parameters when:

  • Computers generate more events than allowed by the maximum events per computer parameter. This is unlikely but can occur in some organizations.

  • You do not want the console to disconnect computers automatically. Disabling the disconnection of clients that exceed the maximum permitted number of events does not stop DoS attacks. Instead, Client Security will only generate alerts about the possible attack, which may jeopardize the server.

Using the MOM Administrator console, you can configure the parameters for flood detection.

To change "Flooding Detected" alert parameters

  1. On the collection server, open the MOM Administrator console and expand the Microsoft Operations Manager tree, click Management Packs, click Rule Groups, click Microsoft Forefront Client Security, click Server Behaviors, and then click Event Rules.

  2. Double-click Run Flood Protection.

  3. In the Event Rules Properties dialog box, click the Responses tab.

  4. Select the flood protection script and click Edit.

  5. In the Launch a Script dialog box, under Script parameters, select the parameter you want to change and click Edit Parameter.

  6. In the Edit Script Parameter dialog box, enter the new parameter value in the Value box. Valid values depend on which parameter you chose to edit. For details, see the following list:

    • Auto-approve pending computers—To enable automatic approval of pending computers, type true. To disable automatic approval of pending computers, type false. The default value is true.

    • Disconnect clients—To enable disconnection of flooding computers, type 1. To disable disconnection of flooding computers, type 0. The default value is 1.

    • Maximum allowed parameters per event—Type a whole number. The default value is 40.

    • Maximum events per computer in OPDB—Type a whole number. The default value is 5,000.

  7. Click OK three times, and then right-click the Management Packs node and click Commit Configuration Change. MOM implements the changes you made.


Responding to flooding detection