Beginning with ISA Server 2000, Microsoft implemented some rudimentary anti-spoofing and intrusion detection features. ISA Server 2004 introduced more features to fight against intrusion detection attacks. ISA Server 2006 adds additional techniques to fight against spam. New technologies included are the Flood Mitigation settings that should help protect against threats. This article focuses on ISA Server 2006 Flood mitigation settings.
Get your copy of the German language “Microsoft ISA Server 2006 – Das Handbuch”
Threats and countermeasures
There are different threats in our world. The below table highlights some of these threats and also shows the relevant ISA Server 2006 feature that fights it.
Threat |
Feature |
Worms that flow from user to user and network to network |
|
An increasing number of attacks on externally facing resources |
|
Protection against IP spoofing attacks |
|
Table 1: Threats and features
Types of Attacks
To know how “Hackers” work, you need to know about the art of hacking and which types of attacks exist. The following table is an overview of some attack types.
Attack |
Description |
Internal worm attack over a TCP connection |
Clients will be infected from the worm and they will distribute the worm over different ports to other computers on the network. |
Connection table exploit |
An attacker tries to fill the connection table with bad requests, so that ISA server cannot fullfill legitimate requests. |
Sequential TCP connections during flood attack |
An attacker tries to sequentially open and intermediately close many TCP connections to bypass the quota mechanism to consume a lot of ISA resources. |
Hypertext Transfer Protocol (HTTP) DDoS using existing connections |
An attacker sends an excessive amount of HTTP requests through an existing TCP connection which uses the Keep alive interval. |
Table 2: Type of Attacks
Configuring Attack Mitigation Features
ISA Server 2006 includes some attack mitigation features which you can configure and monitor with the management console.
- HTTP connection limits
- Flood Attack and Worm propagation features
- Limit the number of concurrent users
- Protection against specific attacks like IP spoofing, DNS overflows, DHCP poisioning and intrusion detection
Flood Attack and Worm Propagation Mitigation
A flood attack is defined as an attack from a malicious user when this user tries to flood a machine or a network with garbage TCP packets. A flood attack may cause one of the following reactions:
- Heavy disk load and resource consumption on the firewall
- High CPU load
- High memory consumption
- High network bandwidth consumption
With ISA Server 2006 it is possible to set a maximum number of connections during a defined time period or a maximum number of connections for an IP address. When the number of maximum client requests has been reached, any new client requests are denied and connections are dropped.
The default configuration settings help to ensure that ISA Server can continue to function, even when ISA is under a flood attack.
Attack |
ISA Mitigation |
Defaults |
Flood attack. A specific IP address tries to open many connections to many different IP addresses. |
TCP connect requests per minute, per IP address. |
By default, ISA Server limits the number of TCP requests per client to 600 per minute. Keep in mind that there are some legitimate applications that could create a high number of connection attempts. |
Flood attack. A specific IP address tries to flood ISA Server by maintaining numerous TCP connections concurrently. |
Concurrent TCP connections per IP address. |
ISA Server limits the number of TCP concurrent connections per client to 160. |
SYN attack. A malicious client tries to flood ISA Sever 2006 with a large amount of half-open TCP connections. |
ISA Server mitigates SYN attacks. |
ISA Server limits the number of concurrent half-open TCP connections to half the number of concurrent connections configured for concurrent TCP connections. This setting cannot be changed. |
User Datagram Protocol (UDP) flood attack. A IP address tries to start a denial of service attack. |
UDP concurrent sessions per IP address. When a UDP flood attack occurs, ISA Server closes older sessions, so that no more than the specified number of connections is allowed concurrently. |
ISA Server limits the number of concurrent UDP sessions per IP address to 160. This limit is configurable to 400 concurrent UDP sessions. |
Table 3: ISA protection
Flood attack configuration
You can configure Flood Mitigation in the ISA Server 2006 Management console.
All ISA Server 2006 flood mitigation features and other techniques against DNS attacks can be found under the Configuration – General node.
Figure 1: ISA Server Additional Security Policy
In the Configure Flood Mitigation Settings it is possible to enable protection against flood and worm propagation and blocked traffic logging.
Figure 2: General flood mitigation settings
Many of the flood mitigation settings allow you to configure custom limits for specific IP addresses. You can then rest assured that these IP addresses are not compromised and the traffic is legitimate.
Figure 3: Custom limits for IP exceptions
There are some settings like connection limits for TCP half-open connections for which you cannot set any exceptions.
Figure 4: Connection settings without exceptions
IP exceptions
Not every attack is an real attack from a hacker or malicious user. There are some reasons for clients to create more connections at a time or IP address. After clarifying that the client has a legal reason for so much traffic and you are sure that ISA server has enough resources for additional connections, it is possible to create IP exceptions as shown in the following picture.
Figure 5: Connection settings
Configure alerts
As an administrator you would like to know when flood attacks or spoofing attacks occur. ISA Server 2006 allows you to configure alert definitions to alert you via e-mail, event log and more.
Figure 6: Configure alert definitions
It is possible to create a notification for several alerts like SYN attacks and over limit connections per second or per IP address.
Figure 7: Configure alert definitions for high TCP connections per minute
Logging Flood Manipulation
ISA Server 2006 logs flood manipulation attempts, as you can see in the following table.
Result code |
Hex ID |
Details |
WSA_RWS_QUOTA |
0x80074E23 |
A connection was refused because a quota was exceeded. |
FWX_E_RULE_QUOTA_EXCEEDED_DROPPED |
0xC0040033 |
A connection was rejected because the maximum number of connections created per second for this rule was exceeded. |
FWX_E_TCP_RATE_QUOTA_EXCEEDED_DROPPED |
0xC0040037 |
A connection was rejected because the maximum connections rate for a single client host was exceeded. |
FWX_E_DNS_QUOTA_EXCEEDED |
0xC0040035 |
A DNS query could not be performed because the query limit was reached. |
Table 4: ISA Flood Mitigation logging (Source: Microsoft)
Conclusion
Microsoft ISA Server 2006 introduces a new feature called Flood Mitigation. With the help of Flood Mitigation you can limit the number of current TCP and UDP sessions. This can help to limit the effects of attacks to ISA Server like SYN attacks, worm attacks and many more known attacks.
Related links