ISA Server 2006 Flood Mitigation
Beginning with ISA Server 2000, Microsoft implemented some rudimentary anti-spoofing and intrusion detection features. ISA Server 2004 introduced more features to fight against intrusion detection attacks. ISA Server 2006 adds additional techniques to fight against spam. New technologies included are the Flood Mitigation settings that should help protect against threats. This article focuses on ISA Server 2006 Flood mitigation settings.
Threats and countermeasures
There are different threats in our world. The below table highlights some of these threats and also shows the relevant ISA Server 2006 feature that fights it.
| Threat | Feature |
|---|---|
| Worms that flow from user to user and network to network | IP alert spoofing Connection Quotas Enhanced Flood Protection Intrusion Detecion Protection against Denial of Service (DoS) and Distributed Denial of Service attacks |
| An increasing number of attacks on externally facing resources | Possible attacks through DHCP poisioning, Intrusion Detection and IP Fragmentation can be configured easily, to protect the corporate network. |
| Protection against IP spoofing attacks | IP spoofing protection in ISA Server 2006. ISA Server 2006 protects against IP spoofing by checking the validity of the source IP address in the packet. |
Types of Attacks
To know how 'Hackers' work, you need to know about the art of hacking and which types of attacks exist. The following table is an overview of some attack types.
| Attack | Description |
|---|---|
| Internal worm attack over a TCP connection | Clients will be infected from the worm and they will distribute the worm over different ports to other computers on the network. |
| Connection table exploit | An attacker tries to fill the connection table with bad requests, so that ISA server cannot fullfill legitimate requests. |
| Sequential TCP connections during flood attack | An attacker tries to sequentially open and intermediately close many TCP connections to bypass the quota mechanism to consume a lot of ISA resources. |
| Hypertext Transfer Protocol (HTTP) DDoS using existing connections | An attacker sends an excessive amount of HTTP requests through an existing TCP connection which uses the Keep alive interval. |
Configuring Attack Mitigation Features
ISA Server 2006 includes some attack mitigation features which you can configure and monitor with the management console.
- HTTP connection limits
- Flood Attack and Worm propagation features
- Limit the number of concurrent users
- Protection against specific attacks like IP spoofing, DNS overflows, DHCP poisioning and intrusion detection
Flood Attack and Worm Propagation Mitigation
A flood attack is defined as an attack from a malicious user when this user tries to flood a machine or a network with garbage TCP packets. A flood attack may cause one of the following reactions:
- Heavy disk load and resource consumption on the firewall
- High CPU load
- High memory consumption
- High network bandwidth consumption
With ISA Server 2006 it is possible to set a maximum number of connections during a defined time period or a maximum number of connections for an IP address. When the number of maximum client requests has been reached, any new client requests are denied and connections are dropped.
The default configuration settings help to ensure that ISA Server can continue to function, even when ISA is under a flood attack.
| Attack | ISA Mitigation | Defaults |
|---|---|---|
| Flood attack. A specific IP address tries to open many connections to many different IP addresses. | TCP connect requests per minute, per IP address. | By default, ISA Server limits the number of TCP requests per client to 600 per minute. Keep in mind that there are some legitimate applications that could create a high number of connection attempts. |
| Flood attack. A specific IP address tries to flood ISA Server by maintaining numerous TCP connections concurrently. | Concurrent TCP connections per IP address. | ISA Server limits the number of TCP concurrent connections per client to 160. |
| SYN attack. A malicious client tries to flood ISA Sever 2006 with a large amount of half-open TCP connections. | ISA Server mitigates SYN attacks. | ISA Server limits the number of concurrent half-open TCP connections to half the number of concurrent connections configured for concurrent TCP connections. This setting cannot be changed. |
| User Datagram Protocol (UDP) flood attack. A IP address tries to start a denial of service attack. | UDP concurrent sessions per IP address. When a UDP flood attack occurs, ISA Server closes older sessions, so that no more than the specified number of connections is allowed concurrently. | ISA Server limits the number of concurrent UDP sessions per IP address to 160. This limit is configurable to 400 concurrent UDP sessions. |
Flood attack configuration
You can configure Flood Mitigation in the ISA Server 2006 Management console.
All ISA Server 2006 flood mitigation features and other techniques against DNS attacks can be found under the Configuration - General node.
Figure 1: ISA Server Additional Security PolicyIn the Configure Flood Mitigation Settings it is possible to enable protection against flood and worm propagation and blocked traffic logging.
Figure 2: General flood mitigation settingsMany of the flood mitigation settings allow you to configure custom limits for specific IP addresses. You can then rest assured that these IP addresses are not compromised and the traffic is legitimate.
Figure 3: Custom limits for IP exceptionsThere are some settings like connection limits for TCP half-open connections for which you cannot set any exceptions.
Figure 4: Connection settings without exceptionsIP exceptions
Not every attack is an real attack from a hacker or malicious user. There are some reasons for clients to create more connections at a time or IP address. After clarifying that the client has a legal reason for so much traffic and you are sure that ISA server has enough resources for additional connections, it is possible to create IP exceptions as shown in the following picture.
Figure 5: Connection settingsConfigure alerts
As an administrator you would like to know when flood attacks or spoofing attacks occur. ISA Server 2006 allows you to configure alert definitions to alert you via e-mail, event log and more.
Figure 6: Configure alert definitionsIt is possible to create a notification for several alerts like SYN attacks and over limit connections per second or per IP address.
Figure 7: Configure alert definitions for high TCP connections per minuteLogging Flood Manipulation
ISA Server 2006 logs flood manipulation attempts, as you can see in the following table.
| Result code | Hex ID | Details |
|---|---|---|
| WSA_RWS_QUOTA | 0x80074E23 | A connection was refused because a quota was exceeded. |
| FWX_E_RULE_QUOTA_EXCEEDED_DROPPED | 0xC0040033 | A connection was rejected because the maximum number of connections created per second for this rule was exceeded. |
| FWX_E_TCP_RATE_QUOTA_EXCEEDED_DROPPED | 0xC0040037 | A connection was rejected because the maximum connections rate for a single client host was exceeded. |
| FWX_E_DNS_QUOTA_EXCEEDED | 0xC0040035 | A DNS query could not be performed because the query limit was reached. |
Conclusion
Microsoft ISA Server 2006 introduces a new feature called Flood Mitigation. With the help of Flood Mitigation you can limit the number of current TCP and UDP sessions. This can help to limit the effects of attacks to ISA Server like SYN attacks, worm attacks and many more known attacks.
Related links
Author: Mark Grote
Marc Grote is a MCSA/MCSE Messaging & Security and Microsoft Certified Trainer. He is working as a freelance IT Trainer and Consultant in the north of Germany and as an part time employee of Invenate GmbH in Hanover (Germany). He is working there as an consultant for Microsoft Server infrastructure. You will find more information about Invenate here http://www.invenate.de. He is specialized in ISA Server, Exchange, Security on Windows 2000 and Windows Server 2003 designs, migrations and implementations and Citrix Metaframe / Cisco implementations. His efforts have earned him recognition as a Microsoft MVP for ISA Server. You can visit his homepage on http://www.it-training-grote.de.
Set of free tools making the work of a Microsoft ISA Server administrator easier.
Software for monitoring the efficiency of your company's Internet bandwidth usage.
Using this product you can easily find out who, when, where to, where from and what accessed the Internet.
Works with Microsoft ISA Server and other proxy servers.
Software for monitoring the efficiency of your company's mail server operations.
Using this product, you can easily determine the who, when, where and amount of e-mail that has been sent.
Works with Microsoft Exchange Server and other mail servers.
Software for monitoring your company's printers.
Using this product you can easily find out who, when and how many pages have been printed.
RSS