TMG Firewall Flood Mitigation (Part 1)
Network flood attacks are among the most common types of attacks you’ll see on the Internet and the intranet, although you might know them by another name. Denial of Service (DoS) results when an infected computer, a botnet or even an individual attacker floods the network or a service with such a large amount of traffic that it disrupts communications to a computer or network.
Effects of a flood attack
Flood attacks can be carried out using a number of varying transports. For example, an attacker can disrupt a network by attempting to flood a specific IP address or by using a specific host name as a target to open multiple TCP connections, inundating it with an excessive number of SYN packets. This kind of “SYN flood” might lead to the following symptoms:
- High CPU load on the victim computer. The targeted computer will have to allocate processor resources to handle each half-open connection. Depending on the speed and number of packets, the processor can be overwhelmed with requests and will not be able to service other requests from critical processes running on the computer.
- High memory consumption on the victim computer. Each half-open connection requires a small allocation of memory, which is obtained from the non-paged pool collection. This is smaller than the total amount of memory in the machine, and thus can be exhausted more quickly than the total RAM and can cause a DoS on the victim computer.
- Heavy disk load and resource consumption on the victim computer. The half-open connections can be logged and if they come in fast enough, this can overwhelm the ability to log these connections or may consume disk space to the extent that the machine will no longer be able to provide the disk space required for normal operations.
- High network bandwidth consumption. Flood attacks not only affect available bandwidth to the targeted computer(s), but potentially can impact any host computer that lies in the path between the attacker and the victim machine.
TMG firewall mitigation
The TMG firewall enables you to configure connection limits to protect the TMG system itself as well as the networks that the TMG firewall is protecting from various forms of floods and worm propagation through flooding. With TMG flood mitigation, you can specify the maximum number of concurrent connections to be allowed from a specific address over the space of one minute. When the maximum number of allowed concurrent connections is reached, any additional traffic will be denied for the remainder of that minute.
Flood mitigation has default settings that define the connection limits for machines that connect to or through the TMG firewall. The default settings are based on tests that were performed by the Microsoft TMG Firewall team and they reflect what the team considers to be typical values that will allow the TMG firewall to stand up to attack.
To configure the flood mitigation settings, click the Intrusion Prevention System node in the left pane of the TMG firewall console, as shown in Figure 1. Then click the Configure Flood Mitigation Settings link that you see in the middle pane of the console.
This will open up the Flood Mitigation dialog box, as seen in Figure 2 below.
You can also set the connection limits for a number of different types of traffic, except for the maximum half-open TCP connection, because this is automatically calculated and set by TMG based on the maximum concurrent TCP connections per IP address, as shown in Figure 3 below.
For most of the configuration options that you have available for setting connection limits, you will also see a Custom Limit option that applies to IP exceptions. The reason that you need to be able to configure IP exceptions is because certain computers often require an unusually large number of open connections. For example, this is the case with a DNS server that the TMG firewall is configured to use for name resolution that it performs on behalf of its web proxy and firewall clients.
If the TMG firewall has name-based access rules, it will query its DNS server heavily and so it might reach the maximum number of allowed connections within the predefined time period. However, you can designate specific computers or IP addresses as exceptions and define higher connection limits for those computers (the custom limit shown in Figure 4) by placing them in the IP exceptions list.
Types of flood attacks
The following table describes possible flood attacks and how the TMG firewall can help protect against them.
|Attack||TMG Mitigation||Default Values|
|Flood Attack (1) A specific IP address attempts to connect to various IP addresses, causing a flood of connection attempts and disconnections.||TCP connect requests per minute, per IP address TMG will only allow a specified number of TCP requests from a specific IP address over the course of a minute, after which requests from that address will be blocked for the remainder of that minute.||By default TMG limits the number of TCP requests per client to 600 per minute.
By default the custom limit applying to the IP exception list is set to 6,000 connection requests per minute.
|Flood Attack (2) A specific IP address attempts to flood either TMG or a server protected by TMG by opening multiple TCP connections concurrently.||TCP concurrent connections per IP Address TMG will limit the concurrent connections allowed per IP address to prevent a host from opening multiple TCP connections concurrently.||By default TMG limits the number of concurrent TCP connections per client to 160.
By default the custom limit applying to IP exceptions is 400 concurrent connections per client.
|Half Open Attack An attacker attempts to flood either the TMG firewall or a server protected by the TMG firewall by sending numerous SYN packets in rapid succession, accepting the TMG SYN_ACK response but not providing an ACK to the TMG SYN_ACK response, and therefore not completing the TCP 3-way handshake.||TCP half-open connections The TMG firewall limits the number of half-open connections by monitoring the state of the connections and closing any half-open connections that exceed the defined limit.||By default the TMG firewall limits the number of half-open connections to half the total number of TCP concurrent connections per IP address.
You cannot modify this default setting without changing the TCP concurrent connection per IP address limit.
|Denial of Service (DoS) attack using HTTP An attacker attempts to launch a DoS attack by sending numerous HTTP connection requests in succession.||HTTP requests per minute, per IP address The TMG firewall mitigates this attack by only allowing a predefined number of HTTP requests per minute from a specific IP address.||The TMG firewall limits the number of HTTP requests per client to 600 requests per minute by default.
The default custom limit applying to IP exceptions is 6,000 HTTP requests per client per minute.
|Denial of Service (DoS) non TCP attack An attacker uses an infected computer to send numerous non-TCP packets, such as ICMP in succession, to flood the network or a server.||Non-TCP new sessions per minute, per rule If a non-TCP session is allowed by a rule, the TMG firewall limits the number of new sessions per rule over the course of a minute.||The TMG firewall limits the number of non-TCP new session to 1,000 per minute for specific rules by default.|
|User Datagram Protocol (UDP) flood attack An attacker sends numerous UDP packets to the target or victim computer, causing flooding.||UDP concurrent sessions per IP address The TMG firewall limits the number of concurrent UDP connections per IP address. In case of a UDP flood attack, TMG discards all older sessions so that no more than the specified numbers of connections are allowed concurrently.||The TMG firewall limits the number of concurrent UDP sessions per IP address to 160 by default.
The custom limit applying to IP exceptions is 400 concurrent UDP sessions per IP address by default.
When the TMG firewall blocks a connection after it exceeds its connection limit, that client remains blocked for the remainder of the minute.
For example, if the connection limit for concurrent TCP connections is 1000 and the client reaches 1000 concurrent TCP connections in 45 seconds, it is then blocked for the remaining 15 seconds.
For TCP connections, no new connections are accepted from the source IP address of the attacker after flood mitigation limit is exceeded. For non-TCP connections (e.g., raw IP and UDP), existing connections are torn down when the flood mitigation limit is exceeded. This allows newer connections to be created.
In this, part 1 of our two part series on TMG firewall flood mitigation, we began the discussion with a short description of flood attacks and how flood attacks can create DoS conditions for the TMG firewall or for hosts that are protected by the TMG firewall. We then saw how the TMG firewall can be configured to protect itself and the hosts that it protects against flood attacks that can create a DoS situation using a number of different methods. The TMG firewall can limit the number of connections per minutes, and can also limit the number of connections and packets per minute for a number of transports. When a host is identified as having violated a connection limit, that host is blocked for a period of time from sending any traffic to or through the TMG firewall. The exact behavior is determined by the type of flood and the transport used.
In the second part of this series, we’ll continue our examination of the TMG firewall’s flood mitigation features by exploring how to configure IP exceptions to connection limits, and we’ll look at the SIP flood mitigation and finish up with the out-of-the-box flood protection features that do not require you to configure any settings. See you then! –Deb.