Planning to protect against denial of service flood attacks
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
This topic provides an overview of how to protect against denial of service flood attacks in Forefront TMG. For detailed information and the most up-to-date documentation, please see the Forefront TMG TechNet Library (http://go.microsoft.com/fwlink/?LinkID=131702).
Denial of service (DoS) flood attacks are attempts by a malicious (or unwitting) user, process, or system, to prevent legitimate users from accessing a resource (usually a network service), by flooding network connections.
The following sections provide information that can help you plan to protect against DoS flood attacks on your network with Forefront TMG:
About Forefront TMG flood mitigation
About Forefront TMG flood mitigation
The Forefront TMG flood mitigation mechanism uses:
Connection limits that are used to identify and block malicious traffic.
Logging of flood mitigation events.
Alerts that are triggered when a connection limit is exceeded.
The default configuration settings for flood mitigation help ensure that Forefront TMG continues to function under a flood attack. Forefront TMG classifies the traffic and provides different levels of service to different types of traffic. Traffic that is considered malicious (with intent to cause a flood attack) can be denied, while Forefront TMG continues to serve all other traffic.
The Forefront TMG flood mitigation mechanism helps to identify various types of flood attacks, including the following:
Worm propagation—An infected host scans a network for vulnerable hosts by sending TCP connect requests to randomly selected IP addresses and a specific port. Resources are depleted at an accelerated rate, if there are policy rules based on Domain Name system (DNS) names, which require a reverse DNS lookup for each IP address.
TCP flood attacks—An offending host establishes numerous TCP connections with a Forefront TMG server or victim servers, protected by Forefront TMG. In some cases, the attacker sequentially opens and immediately closes many TCP connections, in an attempt to elude the counters. This consumes a large amount of resources.
SYN attacks—An offending host attempts to flood Forefront TMG with half-open TCP connections by sending numerous TCP SYN messages to a Forefront TMG server without completing the TCP handshake, leaving the TCP connections half-open.
HTTP denial of service attacks—A single offending host or a small number of hosts send a huge number of HTTP requests to a Forefront TMG server. In some cases, the attacker sends HTTP requests at a high rate over a persistent (keep-alive) TCP connection. Because the Forefront TMG Web proxy authenticates every request, this consumes a large amount of resources from Forefront TMG.
Non-TCP distributed denial of service (DDoS) attacks—A large number of offending hosts send requests to a Forefront TMG server. Although the total amount of traffic sent to the victim is enormous, the amount of traffic sent from each offending host can be small.
UDP flood attacks—An offending host opens numerous concurrent UDP sessions with a Forefront TMG server.
Forefront TMG provides a quota mechanism that imposes connection limits for TCP, and non-TCP traffic, handled by the Microsoft Firewall service. Connection limits are applied to requests from internal client computers configured as SecureNAT clients, Firewall clients, Web Proxy clients in forward proxy scenarios, and to requests from external clients handled by Web publishing and server publishing rules in reverse proxy scenarios. The mechanism helps prevent flood attacks from specific IP addresses, and helps administrators identify IP addresses that generate excessive traffic, which might be a symptom of a worm or other malware infection.
A connection limit policy can be configured for an array or a standalone Forefront TMG server. A connection limit policy includes the following categories of connection limits:
Connection limits, that establish how many TCP connect requests and HTTP requests are allowed from a single IP address, that is not included in the list of IP address exceptions during one minute.
Connection limits, that establish how many concurrent transport-layer protocol connections may be accepted from a single IP address, that is not included in the list of IP address exceptions. These include connection limits for TCP connections, UDP sessions, and ICMP and other raw IP connections.
Custom connection limits, that establish how many connect requests and how many concurrent transport-layer protocol connections may be accepted from a single special IP address, that is included in the list of IP address exceptions. IP address exceptions might include published servers, chained proxy servers, and network address translation (NAT) devices (routers), which would require many more connections than most other IP addresses. Custom connection limits are applied to TCP connections, UDP sessions, and ICMP and other raw IP connections.
An attacker may generate a flood attack by using spoofed IP addresses that are included in the exception list. To mitigate this threat, it is recommended that you deploy an Internet Protocol security (IPsec) policy between Forefront TMG, and any trusted IP address included in the list of IP address exceptions. An IPsec policy requires that traffic from these IP addresses is authenticated, thereby helping to effectively block spoofed traffic.
A connection limit that restricts the total number of UDP, ICMP, and other raw IP connections that may be created for a single server publishing, or access rule, during one second.
When configuring a connection limit policy, consider the following:
When the TCP connection limit for an IP address is reached, no additional TCP connections are allowed for the IP address.
The UDP connection limit applies to sessions, rather than to connections. When the UDP connection limit for an IP address is reached, and an attempt is made to create an additional UDP session from that IP address, the oldest UDP session that was created from the applicable IP address is closed, and the new session is established.
When the limit that restricts the number of connections that are created for a single rule during the current second is reached, no new connections are created for traffic that has no connection associated with it, the packets are dropped, and Forefront TMG generates an event that can trigger a "Connection Limit for a Rule Exceeded" alert. After the current second passes, the counter is reset, and new connections can be created during the next second until the limit is reached again.
Only connection attempts that are allowed by the firewall policy are counted for the connection limits described above. Forefront TMG maintains a separate counter for connection attempts that are denied by the firewall policy, for each source IP address. When the number of denied TCP and non-TCP packets from a single IP address during one minute is exceeded, an event that can trigger a "Denied Connections per Minute from One IP Address Limit Exceeded" alert is generated. After the current minute passes, the counter is reset, and the event is generated again when the limit is reached again. However, by default, the alert is not issued again until it is reset.
Additional connection limits for traffic handled by the Web Proxy Filter can be configured in the properties of each Web listener, and in the Web Proxy properties of each network from which outgoing Web requests can be sent.
When you specify a connection limit on a Web listener, you limit the number of connections allowed to Web sites published using the specific Web listener. Web listeners are used in Web publishing rules, and one Web listener may be used in multiple rules.
When you specify a connection limit in the Web proxy properties of a specific network, you limit the number of concurrent outgoing Web connections that are allowed from the network on port 80 at any specific time.
In addition to flood attack and worm propagation mitigation, you can also limit the number of Web proxy connections allowed simultaneously to the Forefront TMG server to control allocation of the system's resources. This is particularly useful when publishing Web servers. Using connection limits, you can limit the number of computers that connect, while allowing specific clients to continue connecting even when the limit is surpassed.