Trusted Proxy Servers Can Appear to be Launching Flood or DoS Attacks
When users in a large organization simultaneously access a Web server published by ISA Server through a single proxy server in their organization, their requests are all sent to your ISA Server computers from the IP address of the organization’s proxy server. If the number of users in one organization that simultaneously access the published Web site exceeds a connection limit that ISA Server uses to detect flood or DoS attacks, ISA Server will block all requests from the organization until the connection limit is no longer exceeded.
The ISA Server connection limits are applied to requests from external clients handled by Web publishing and server publishing rules in reverse proxy scenarios and to requests from internal client computers configured as SecureNAT clients, Firewall clients, and Web Proxy clients in forward proxy scenarios. The mechanism helps prevent flood attacks from specific IP addresses and can help you identify IP addresses that generate excessive traffic, which may be a symptom of a worm, virus, or spyware infection.
When numerous requests arrive from the IP address of a proxy server in a trusted organization, the TCP connection limits in the following table may be exceeded.
Connection limit |
Defaults |
Maximum TCP connect requests per minute per IP address (introduced in ISA Server 2006) |
By default, ISA Server limits the number of TCP requests from the same IP address to 600 per minute. You can configure a custom limit for specific IP addresses. By default, this limit is set to 6,000 requests per minute. |
Maximum concurrent TCP connections per IP address |
By default, ISA Server limits the number of TCP concurrent connections from the same IP address to 160. You can configure a custom limit for specific IP addresses. By default, this limit is set to 400 concurrent connections. |
Maximum HTTP requests per minute per IP address (introduced in ISA Server 2006) |
By default, ISA Server limits the number of HTTP requests from the same IP address to 600 requests per minute. You can configure a custom limit for specific IP addresses. By default, this limit is set to 6,000 requests per minute. |
For more detailed information about all the connection limits that ISA Server 2006 uses to mitigate attacks, see ISA Server Network Protection: Protecting against Floods and Attacks.
To prevent ISA Server 2006 from blocking requests from trusted proxy servers, you can add a computer set that includes the IP addresses of the proxy servers to the list on the IP Exceptions tab of the Flood Mitigations settings in ISA Server Management. The custom limits (for example, 400 concurrent TCP connections) will then apply to these IP addresses. You can also change a custom limit by clicking the Edit for the applicable limit.
You can identify the IP addresses of the proxy servers in large organizations where many users simultaneously access your published Web site by looking at the ISA Server logs and reports.
However, if you need to be more proactive and not wait until you can identify the IP addresses of the proxy servers in large organizations from the logs and reports, you can do one of the following:
- Add a computer set that includes all external IP address ranges to the list on the IP Exceptions tab of the Flood Mitigations settings. If necessary, you can also increase the applicable custom connection limits.
- Increase the applicable ordinary connection limits. Note that this will also increase these connection limits for internal hosts in your organization that may be infected.
- Disable all connection limits by clearing the Mitigate flood attacks and worm propagation check box. Note that this will also disable the protection against attacks by infected computers in your organization.
Bear in mind, however, that under ordinary circumstances the default connection limit settings provide for protection from flood and other attacks and do not interfere with user access even from large organizations with proxy servers. These default settings should not be changed without good reason.
Gabriel Koren,
ISA Server Team