Connection Limits

Internet Security and Acceleration Server 2004/2006 SDK

ISA Server provides a quota mechanism that imposes connection limits for TCP and non-TCP traffic handled by the Microsoft Firewall service. Connection limits are applied to requests from internal client computers configured as SecureNAT clients, Firewall clients, and Web Proxy clients in forward proxy scenarios and to requests from external clients handled by Web publishing and server publishing rules in reverse proxy scenarios. The mechanism helps prevent flood attacks from specific IP addresses and helps administrators identify IP addresses that generate excessive traffic, which may be a symptom of a worm, virus, or spyware infection.

A connection limit policy can be configured for an ISA Server array by setting the properties of the FPCConnectionLimitPolicy object. A connection limit policy includes the following connection limits.

  • Default connection limits that establish how many concurrent transport-layer protocol connections may be accepted from a single IP address that is not configured as a special IP address. These include connection limits for TCP connections, for UDP connections, and for ICMP and other raw IP connections.
  • Custom connection limits that establish how many concurrent transport-layer protocol connections may be accepted from a single special IP address. These include connection limits for TCP connections, for UDP connections, and for ICMP and other raw IP connections.
  • A connection limit that restricts the total number of UDP, ICMP, and other raw IP connections that may be created for a single server publishing or access rule during one second.

When the TCP connection limit for an IP address is reached, no additional TCP connections are allowed for the IP address.

The UDP connection limit applies to connection mappings, rather than to connections. When the UDP connection limit for an IP address is reached and an attempt is made to create an additional UDP connection from that IP address, the oldest UDP connection that was created from the applicable IP address is closed, and the new connection is established.

A special IP address typically specifies a Web server or a chained proxy server, which would require many more connections than most other IP addresses. IP addresses are configured as special IP addresses by including them in a computer set that is referenced by the collection held in the SpecialComputerSets property.

When the limit that restricts the number of connections created for a single rule during the current second is reached, no new connections will be created for traffic that has no connection associated with it, the packets will be dropped, and ISA Server will generate an event that can trigger a Connection Limit for a Rule Exceeded alert. After the current second passes, the counter is reset, and new connections can be created during the next second until the limit is reached again.

An additional connection limit can be defined in the FPCWebListenerProperties object for each Web listener and each network from which outgoing Web requests can be sent. These connection limits are not included in the policy defined by the FPCConnectionLimitPolicy object.

Flood Mitigation

ISA Server 2006 introduces a flood mitigation feature that uses connection limits to mitigate connection flooding so that ISA Server can continue to function, even under a flood attack. This is accomplished by identifying and blocking clients that generate excessive traffic.

The following table lists the flood mitigation settings on the Flood Mitigation page in ISA Server Management, the administration COM object that provides access to the corresponding property, and the corresponding administration COM property.

Setting in ISA Server Management Administration COM object Property
Mitigate flood attacks and worm propagation FPCConnectionLimitPolicy Enabled
Maximum TCP connect requests per minute per IP address FPCConnectionLimit TcpLimitPerMinute (introduced in ISA Server 2006)
Maximum concurrent TCP connections per IP address FPCConnectionLimit TcpLimit
Maximum half-open TCP connections FPCConnectionLimit Automatically calculated as half of the value of the TcpLimit property.
Maximum HTTP requests per minute per IP address FPCConnectionLimit HttpLimitPerMinute (introduced in ISA Server 2006)
Maximum new non-TCP sessions per minute per rule FPCConnectionLimitPolicy RulePerSecondLimit
Maximum concurrent UDP sessions per IP address FPCConnectionLimit UdpLimit
Specify how many denied packets trigger an alert FPCConnectionLimitPolicy LoggedDeniedPerMinute (introduced in ISA Server 2006)
Log traffic blocked by flood mitigation settings FPCConnectionLimitPolicy LogQuotaRejectedTraffic (introduced in ISA Server 2006)
IP Exceptions FPCConnectionLimitPolicy SpecialComputerSets

Note  Custom limits are applied to clients belonging to the computer sets listed on the IP Exceptions tab only for the flood mitigation settings that correspond to properties accessed through the FPCConnectionLimit object.

Show: