Solved

Forefront TMG detected a possible SYN attack and will protect the network accordingly.

Posted on 2010-11-08
17
6,277 Views
Last Modified: 2012-05-10
Hello

I have a TMG serving about 200 client accessing the internet ( all of them secure NAT), when this alert occurred, the server disconnects users from accessing internet.
How can I find out the source of this SYN attack?  and how to protect FTMG server against this attack ?

note: ISA 2006 show up the source ip address of SYN attack, but TMG does not !


thanks in advance.
0
Comment
Question by:Suliman Abu Kharroub
  • 10
  • 4
  • 3
17 Comments
 
LVL 7

Expert Comment

by:Mohamed Khairy
ID: 34098819
You canfind the source of the attack by configuring alert definitions to alert you via e-mail, event log and many more. To configure alerts start the TMG management console, navigate to the Monitoring node and select the Alerts tab and in the task pane click Configure Alert Definitions as shown below:




image0161249907498276.jpg
0
 
LVL 7

Expert Comment

by:Mohamed Khairy
ID: 34098820
0
 
LVL 23

Author Comment

by:Suliman Abu Kharroub
ID: 34100552
Thank you dear for your response.

I am already configured the alert to send email.

what I need is to configure TMG server to generate the alert in the same way which ISA 2006 displays the alert ( include the SYN attack source IP address).


 
0
 
LVL 23

Author Comment

by:Suliman Abu Kharroub
ID: 34259088
Finally,I figured out the source are iPhone mobiles, not sure which application cause the problem. I will post here when catch it.

thanks fro help.
0
 
LVL 7

Expert Comment

by:Mohamed Khairy
ID: 34268931
IPhone mobiles...very wiered issue?

I will wait to see your post
0
 
LVL 23

Author Comment

by:Suliman Abu Kharroub
ID: 34273872
Most likely the cause is Facebook notifications!
0
 
LVL 1

Expert Comment

by:Ivica Vugrinec
ID: 34523860
I have the same issues here. Can someone give some more details? Did you confirm these reasons? What did you do about it?
0
 
LVL 23

Author Comment

by:Suliman Abu Kharroub
ID: 34524826
Hi GrdiRuda,

actually iPhone notifications causes another alerts which is very similar to the one on this question,

iPhone notification cases an alert says "possible Internet Protocol (IP) half-scan attack from IP " which will not disconnect users from accessing internet.

But, this alert  "Forefront TMG detected a possible SYN attack and will protect the network accordingly." will disconnect users from internet access and well isolate the entire internal network.

My final decision was to downgrade to ISA 2006 until I can find a solution.

Reading a lot of articles about sync attacks and how TMG deals with it, but nothing help.

I am so happy with ISA 2006..
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 23

Author Comment

by:Suliman Abu Kharroub
ID: 34524837
BTW: I will keep this thread open in case other experts can help ...
0
 
LVL 1

Expert Comment

by:Ivica Vugrinec
ID: 34525156
Did you try the "Request attention" link? I have the same issue here on our network and are have frequent "lock-downs".

How did you found the source of SYN attack generators?
Did you found some options to change the behavior of TMG when SYNC attack occurs?  Anything?
0
 
LVL 23

Author Comment

by:Suliman Abu Kharroub
ID: 34525321

No, i didn't

If you went to TMG alerts detentions you will find two deferent alerts :

1.Syn attack which I dont find a solution yet for it.

2.intrusion detected which cased by iphone notifications ( half-ip scan ).



syn.PNG
int.PNG
0
 
LVL 23

Author Comment

by:Suliman Abu Kharroub
ID: 34525342
for the half-ip scan, TMG will show the source ip address on the alert.

But, for syn attack alert, TMG does not show anything related so I am asking a question here :)

0
 
LVL 1

Expert Comment

by:Ivica Vugrinec
ID: 34532531
So, after all it looks like that "SYN attack" messages are not shown because of the network activity on the "internal" part of the network.  (iphones aren't the culprit)
Message states: "Description: Forefront TMG detected a possible SYN attack and will protect the network accordingly."

What does this mean: "will protect the network"? All i could find is this:

SYN attack - A malicious client tries to flood TMG Server with a large amount of half-open TCP connections
TMG mitigates SYN attacks. An offending host attempts to flood Forefront TMG with half-open TCP connections by sending numerous TCP SYN messages to a Forefront TMG server without completing the TCP handshake, leaving the TCP connections half-open.


TMG limits the number of concurrent half-open TCP connections to half the number of concurrent connections configured for concurrent TCP connections. This setting cannot be changed  

Maximum half-open TCP connections  setting:

Mitigates SYN attacks by blocking requests from an IP address with which more than the specified number of half-open TCP connections exist. This limit is automatically calculated as half of the value of the Maximum concurrent TCP connections per IP address.

On some other experts exchange articles experts are considering torrent aplications as the culprit for the lock-downs. Did you ever enabled any rules for torrent aplications? Did you try to block them? Do you rember anything?
0
 
LVL 23

Author Comment

by:Suliman Abu Kharroub
ID: 34533938
My initial guess was torrent applications, but I test all cases by enable/disable and allow/deny torrents / nothing really works.

BTW: torrents applications produce another error ( you can see it on alerts tab). concurrent TCP connection from one ip address exceeded the limit.
0
 
LVL 1

Accepted Solution

by:
Ivica Vugrinec earned 500 total points
ID: 35473102
The very exact issue have been resolved on my network. The thread with full info is here:

http://www.experts-exchange.com/Microsoft/Windows_Security/Q_26811920.html
0
 
LVL 23

Author Comment

by:Suliman Abu Kharroub
ID: 35497789
@GrdiRuda:

yes it is, and I participated in your thread :-) which makes sense...to be honest, points should be awarded to "voznaj", aren't they ?...

Thanks all for your efforts  
0
 
LVL 23

Author Closing Comment

by:Suliman Abu Kharroub
ID: 35497791
Thanks man..
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now