Flood Mitigation

intrusion prevention – flood mitigation setting

Forefront TMG protect your system from flood attack, flood attack are attempts by malicious users to attack a network, by http denial of service attack, SYN attack, worm propagation

The default TMG configuration setting for flood mitigation set to ensure that Forefront TMG can continue to function under a flood attack; there are some actions you can take during an attack that can further mitigate its effect.

Intrusion Prevention System, may also introduce problem you may come across user reports, that he/she loose internet connection (cannot access web sites) for some time while he’s still able to connect to other resources on the network.

The client has no network problems and you are able establish rdp connection to his workstation, the problem only with http/https requests.

Then when you check the TMG you may find alerts “HTTP Request limit exceeded”

This problem caused by intrusion prevention system, the default configuration setting for flood mitigation set to ensure that Forefront TMG can continue to function under a flood attack, and the Default number of maximum TCP and HTTP connection per minute is 600.

To resolve this problem, you must change the default settings.

1-In the Forefront TMG Management console, click Intrusion Prevention System, and then click Behavioral Intrusion Detection Tab.
2- In the details pane, click Configure Flood Mitigation Settings.

3- On the flood mitigation tab, verify that mitigation flood attacks and worm propagation is selected. (Selected by default)
To modify the settings for each connection limit, click edit.

Modify the settings for “Maximum TCP connect request per minute per IP address” and “Maximum HTTP request per minute per IP address” to 800-1000

Save and apply

for more information see..

Planning to protect against denial of service flood attacks