• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6783
  • Last Modified:

Forefront TMG detected a possible SYN attack and will protect the network accordingly.

Hello

I have a TMG serving about 200 client accessing the internet ( all of them secure NAT), when this alert occurred, the server disconnects users from accessing internet.
How can I find out the source of this SYN attack?  and how to protect FTMG server against this attack ?

note: ISA 2006 show up the source ip address of SYN attack, but TMG does not !


thanks in advance.
0
Suliman Abu Kharroub
Asked:
Suliman Abu Kharroub
  • 10
  • 4
  • 3
1 Solution
 
Mohamed KhairyEnterprise Solutions ArchitectCommented:
You canfind the source of the attack by configuring alert definitions to alert you via e-mail, event log and many more. To configure alerts start the TMG management console, navigate to the Monitoring node and select the Alerts tab and in the task pane click Configure Alert Definitions as shown below:




image0161249907498276.jpg
0
 
Mohamed KhairyEnterprise Solutions ArchitectCommented:
0
 
Suliman Abu KharroubIT Consultant Author Commented:
Thank you dear for your response.

I am already configured the alert to send email.

what I need is to configure TMG server to generate the alert in the same way which ISA 2006 displays the alert ( include the SYN attack source IP address).


 
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Suliman Abu KharroubIT Consultant Author Commented:
Finally,I figured out the source are iPhone mobiles, not sure which application cause the problem. I will post here when catch it.

thanks fro help.
0
 
Mohamed KhairyEnterprise Solutions ArchitectCommented:
IPhone mobiles...very wiered issue?

I will wait to see your post
0
 
Suliman Abu KharroubIT Consultant Author Commented:
Most likely the cause is Facebook notifications!
0
 
Ivica VugrinecCommented:
I have the same issues here. Can someone give some more details? Did you confirm these reasons? What did you do about it?
0
 
Suliman Abu KharroubIT Consultant Author Commented:
Hi GrdiRuda,

actually iPhone notifications causes another alerts which is very similar to the one on this question,

iPhone notification cases an alert says "possible Internet Protocol (IP) half-scan attack from IP " which will not disconnect users from accessing internet.

But, this alert  "Forefront TMG detected a possible SYN attack and will protect the network accordingly." will disconnect users from internet access and well isolate the entire internal network.

My final decision was to downgrade to ISA 2006 until I can find a solution.

Reading a lot of articles about sync attacks and how TMG deals with it, but nothing help.

I am so happy with ISA 2006..
0
 
Suliman Abu KharroubIT Consultant Author Commented:
BTW: I will keep this thread open in case other experts can help ...
0
 
Ivica VugrinecCommented:
Did you try the "Request attention" link? I have the same issue here on our network and are have frequent "lock-downs".

How did you found the source of SYN attack generators?
Did you found some options to change the behavior of TMG when SYNC attack occurs?  Anything?
0
 
Suliman Abu KharroubIT Consultant Author Commented:

No, i didn't

If you went to TMG alerts detentions you will find two deferent alerts :

1.Syn attack which I dont find a solution yet for it.

2.intrusion detected which cased by iphone notifications ( half-ip scan ).



syn.PNG
int.PNG
0
 
Suliman Abu KharroubIT Consultant Author Commented:
for the half-ip scan, TMG will show the source ip address on the alert.

But, for syn attack alert, TMG does not show anything related so I am asking a question here :)

0
 
Ivica VugrinecCommented:
So, after all it looks like that "SYN attack" messages are not shown because of the network activity on the "internal" part of the network.  (iphones aren't the culprit)
Message states: "Description: Forefront TMG detected a possible SYN attack and will protect the network accordingly."

What does this mean: "will protect the network"? All i could find is this:

SYN attack - A malicious client tries to flood TMG Server with a large amount of half-open TCP connections
TMG mitigates SYN attacks. An offending host attempts to flood Forefront TMG with half-open TCP connections by sending numerous TCP SYN messages to a Forefront TMG server without completing the TCP handshake, leaving the TCP connections half-open.


TMG limits the number of concurrent half-open TCP connections to half the number of concurrent connections configured for concurrent TCP connections. This setting cannot be changed  

Maximum half-open TCP connections  setting:

Mitigates SYN attacks by blocking requests from an IP address with which more than the specified number of half-open TCP connections exist. This limit is automatically calculated as half of the value of the Maximum concurrent TCP connections per IP address.

On some other experts exchange articles experts are considering torrent aplications as the culprit for the lock-downs. Did you ever enabled any rules for torrent aplications? Did you try to block them? Do you rember anything?
0
 
Suliman Abu KharroubIT Consultant Author Commented:
My initial guess was torrent applications, but I test all cases by enable/disable and allow/deny torrents / nothing really works.

BTW: torrents applications produce another error ( you can see it on alerts tab). concurrent TCP connection from one ip address exceeded the limit.
0
 
Ivica VugrinecCommented:
The very exact issue have been resolved on my network. The thread with full info is here:

http://www.experts-exchange.com/Microsoft/Windows_Security/Q_26811920.html
0
 
Suliman Abu KharroubIT Consultant Author Commented:
@GrdiRuda:

yes it is, and I participated in your thread :-) which makes sense...to be honest, points should be awarded to "voznaj", aren't they ?...

Thanks all for your efforts  
0
 
Suliman Abu KharroubIT Consultant Author Commented:
Thanks man..
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 10
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now