ISA Firewall Flood Mitigation Settings
I never ceased to be amazed when I go to conferences and talk about the ISA Firewall. There are still a number of MS network admins out there who think that the ISA Firewall is some sort of revved version of Proxy Server 2.0. It surprises them when I talk about the ISA Firewall, as I always make it clear that the ISA Firewall is a network firewall first, middle and last. Any proxy components included with the ISA Firewall are an extension of the ISA Firewall's core feature feature set and firewall technologies.
I recently had an interesting conversation with someone who is very well versed with the PIX and Check Point firewalls, and he pointed out to me that the new flood mitigation settings included with the 2006 ISA Firewall make the ISA Firewall more secure and more resilient to attack than the traditional hardware firewalls out on the market. I thought this was an amazing admission by someone who I considered a dyed-in-the-wool "hardware" firewall guy.
If you haven't had a chance to check out the new flood mitigation settings on the 2006 ISA Firewall, you can find the configuration interface in the General node located under the Configuration node in the left pane of the ISA Firewall console. In the middle pane of the General node, click the Configure Flood Mitigation Settings link. You'll see the Flood Mitigation dialog box as it appears in the figure below.
What do all these options mean? Check this out:
Maximum concurrent TCP connections per IP address: Edit
ISA Server mitigates a TCP flood attack that occurs when an offending host maintains numerous TCP connections with ISA Server or other servers.
Click to edit the maximum number of TCP connections allowed concurrently per IP address. The default limit is 160. The custom limit for IP address exceptions is 400.
Maximum half-open TCP connections: View
ISA Server mitigates SYN attacks. In a SYN attack, an offending host sends TCP SYN messages without completing the TCP handshake.
Click to view the maximum number of TCP connect requests allowed per minute, per IP address. ISA Server limits the number of concurrent half-open TCP connections to half the number of concurrent connections configured for concurrent TCP connections. You cannot change this default.
Maximum HTTP requests per minute per IP address: Edit
ISA Server mitigates denial of service (DoS) attacks. In a DoS attack, an offending host sends numerous HTTP requests to victim Web sites.
Click to edit the maximum number of HTTP requests allowed per minute per IP address. The default limit is 600. The custom limit for IP exceptions is 6,000.
Maximum new non-TCP sessions per minute per rule: Edit
ISA Server mitigates non-TCP DoS attacks. In a non-TCP DoS attack, malicious hosts send numerous non-TCP packets to a victim server. The specific non-TCP traffic is denied by an ISA Server rule.
Click to edit the maximum number of non-TCP sessions allowed per minute per rule. The default limit is 1,000. You cannot specify IP exceptions for this mitigation.
Maximum concurrent UDP sessions per IP address: Edit
ISA Server mitigates UDP flood attacks. In a UDP flood attack, an offending host sends numerous UDP messages to victim hosts.
When a UDP flood attack occurs, ISA Server discards older sessions, so that no more than the specified number of connections are allowed concurrently.
Click to edit the maximum number of UDP sessions allowed per IP address. The default limit is 160. The custom limit for IP exceptions is 400.
Specify how many denied packets trigger an alert: Edit
ISA Server raises an alert if the number of denied packets from a specific IP address exceeds a preconfigured threshold. The specified limit applies to all IP addresses.
Click to edit the number of denied packets, which when exceeded, triggers an alert.
Log traffic blocked by flood mitigation settings
Select to log all traffic that is blocked by flood mitigation settings. When you select this option, a log record will be generated for each request rejected by the flood mitigation mechanism.
In general, we recommend that you select this option. In case of flood attack, however, after you identify the list of offending IP addresses, disable this option to prevent high resource consumption
For the most part, you'll never need to make any changes to these settings. If you want to know more about how these settings work with the 2006 ISA Firewall, check out the Microsoft paper on Flood Mitigation with ISA Firewalls at http://www.microsoft.com/technet/isa/2006/flood_resiliency.mspx