Connection Limits
Forefront TMG provides a quota mechanism that imposes connection limits for TCP and non-TCP traffic handled by the Microsoft Firewall service. Connection limits are applied to requests from internal Forefront TMG Client and Firewall Client computers, as well as internal client computers configured as SecureNAT clients and Web Proxy clients, in forward proxy scenarios and to requests from external clients handled by Web publishing and server publishing rules in reverse proxy scenarios. The mechanism helps prevent flood attacks from specific IP addresses and helps administrators identify IP addresses that generate excessive traffic, which may be a symptom of a worm, virus, or spyware infection.
A connection limit policy can be configured for a Forefront TMG array by setting the properties of the FPCConnectionLimitPolicy object. A connection limit policy includes the following connection limits.
- Default connection limits that establish how many concurrent transport-layer protocol connections may be accepted from a single IP address that is not configured as a special IP address. These include connection limits for TCP connections, for UDP connections, and for ICMP and other raw IP connections.
- Custom connection limits that establish how many concurrent transport-layer protocol connections may be accepted from a single special IP address. These include connection limits for TCP connections, for UDP connections, and for ICMP and other raw IP connections.
- A connection limit that restricts the total number of UDP, ICMP, and other raw IP connections that may be created for a single server publishing or access rule during one second.
When the TCP connection limit for an IP address is reached, no additional TCP connections are allowed for the IP address.
The UDP connection limit applies to connection mappings, rather than to connections. When the UDP connection limit for an IP address is reached and an attempt is made to create an additional UDP connection from that IP address, the oldest UDP connection that was created from the applicable IP address is closed, and the new connection is established.
A special IP address typically specifies a Web server or a chained proxy server, which would require many more connections than most other IP addresses. IP addresses are configured as special IP addresses by including them in a computer set that is referenced by the collection held in the SpecialComputerSets property.
When the limit that restricts the number of connections created for a single rule during the current second is reached, no new connections will be created for traffic that has no connection associated with it, the packets will be dropped, and Forefront TMG will generate an event that can trigger a Connection Limit for a Rule Exceeded alert. After the current second passes, the counter is reset, and new connections can be created during the next second until the limit is reached again.
An additional connection limit can be defined in the FPCWebListenerProperties object for each Web listener and each network from which outgoing Web requests can be sent. These connection limits are not included in the policy defined by the FPCConnectionLimitPolicy object.
Flood Mitigation
Forefront TMG includes a flood mitigation feature that uses connection limits to mitigate connection flooding so that Forefront TMG can continue to function, even under a flood attack. This is accomplished by identifying and blocking clients that generate excessive traffic.
The following table lists the flood mitigation settings on the Flood Mitigation page in Forefront TMG Management, the administration COM object that provides access to the corresponding property, and the corresponding administration COM property.
Setting in Forefront TMG Management | Administration COM object | Property |
---|---|---|
Mitigate flood attacks and worm propagation | FPCConnectionLimitPolicy | Enabled |
Maximum TCP connect requests per minute per IP address | FPCConnectionLimit | TcpLimitPerMinute |
Maximum concurrent TCP connections per IP address | FPCConnectionLimit | TcpLimit |
Maximum half-open TCP connections | FPCConnectionLimit | Automatically calculated as half of the value of the TcpLimit property. |
Maximum HTTP requests per minute per IP address | FPCConnectionLimit | HttpLimitPerMinute |
Maximum new non-TCP sessions per minute per rule | FPCConnectionLimitPolicy | RulePerSecondLimit |
Maximum concurrent UDP sessions per IP address | FPCConnectionLimit | UdpLimit |
Specify how many denied packets trigger an alert | FPCConnectionLimitPolicy | LoggedDeniedPerMinute |
Log traffic blocked by flood mitigation settings | FPCConnectionLimitPolicy | LogQuotaRejectedTraffic |
IP Exceptions | FPCConnectionLimitPolicy | SpecialComputerSets |
Note Custom limits are applied to clients belonging to the computer sets listed on the IP Exceptions tab only for the flood mitigation settings that correspond to properties accessed through the FPCConnectionLimit object.
Build date: 7/12/2010