Link to home
Start Free TrialLog in
Avatar of Suliman Abu Kharroub
Suliman Abu KharroubFlag for Jordan

asked on

Forefront TMG detected a possible SYN attack and will protect the network accordingly.

Hello

I have a TMG serving about 200 client accessing the internet ( all of them secure NAT), when this alert occurred, the server disconnects users from accessing internet.
How can I find out the source of this SYN attack?  and how to protect FTMG server against this attack ?

note: ISA 2006 show up the source ip address of SYN attack, but TMG does not !


thanks in advance.
Avatar of Mohamed Khairy
Mohamed Khairy
Flag of Egypt image

You canfind the source of the attack by configuring alert definitions to alert you via e-mail, event log and many more. To configure alerts start the TMG management console, navigate to the Monitoring node and select the Alerts tab and in the task pane click Configure Alert Definitions as shown below:




image0161249907498276.jpg
Avatar of Suliman Abu Kharroub

ASKER

Thank you dear for your response.

I am already configured the alert to send email.

what I need is to configure TMG server to generate the alert in the same way which ISA 2006 displays the alert ( include the SYN attack source IP address).


 
Finally,I figured out the source are iPhone mobiles, not sure which application cause the problem. I will post here when catch it.

thanks fro help.
IPhone mobiles...very wiered issue?

I will wait to see your post
Most likely the cause is Facebook notifications!
I have the same issues here. Can someone give some more details? Did you confirm these reasons? What did you do about it?
Hi GrdiRuda,

actually iPhone notifications causes another alerts which is very similar to the one on this question,

iPhone notification cases an alert says "possible Internet Protocol (IP) half-scan attack from IP " which will not disconnect users from accessing internet.

But, this alert  "Forefront TMG detected a possible SYN attack and will protect the network accordingly." will disconnect users from internet access and well isolate the entire internal network.

My final decision was to downgrade to ISA 2006 until I can find a solution.

Reading a lot of articles about sync attacks and how TMG deals with it, but nothing help.

I am so happy with ISA 2006..
BTW: I will keep this thread open in case other experts can help ...
Did you try the "Request attention" link? I have the same issue here on our network and are have frequent "lock-downs".

How did you found the source of SYN attack generators?
Did you found some options to change the behavior of TMG when SYNC attack occurs?  Anything?

No, i didn't

If you went to TMG alerts detentions you will find two deferent alerts :

1.Syn attack which I dont find a solution yet for it.

2.intrusion detected which cased by iphone notifications ( half-ip scan ).



syn.PNG
int.PNG
for the half-ip scan, TMG will show the source ip address on the alert.

But, for syn attack alert, TMG does not show anything related so I am asking a question here :)

So, after all it looks like that "SYN attack" messages are not shown because of the network activity on the "internal" part of the network.  (iphones aren't the culprit)
Message states: "Description: Forefront TMG detected a possible SYN attack and will protect the network accordingly."

What does this mean: "will protect the network"? All i could find is this:

SYN attack - A malicious client tries to flood TMG Server with a large amount of half-open TCP connections
TMG mitigates SYN attacks. An offending host attempts to flood Forefront TMG with half-open TCP connections by sending numerous TCP SYN messages to a Forefront TMG server without completing the TCP handshake, leaving the TCP connections half-open.


TMG limits the number of concurrent half-open TCP connections to half the number of concurrent connections configured for concurrent TCP connections. This setting cannot be changed  

Maximum half-open TCP connections  setting:

Mitigates SYN attacks by blocking requests from an IP address with which more than the specified number of half-open TCP connections exist. This limit is automatically calculated as half of the value of the Maximum concurrent TCP connections per IP address.

On some other experts exchange articles experts are considering torrent aplications as the culprit for the lock-downs. Did you ever enabled any rules for torrent aplications? Did you try to block them? Do you rember anything?
My initial guess was torrent applications, but I test all cases by enable/disable and allow/deny torrents / nothing really works.

BTW: torrents applications produce another error ( you can see it on alerts tab). concurrent TCP connection from one ip address exceeded the limit.
ASKER CERTIFIED SOLUTION
Avatar of Rikard Micek
Rikard Micek
Flag of Croatia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
@GrdiRuda:

yes it is, and I participated in your thread :-) which makes sense...to be honest, points should be awarded to "voznaj", aren't they ?...

Thanks all for your efforts  
Thanks man..