Security problems affecting ISA Server performance are DoS and DDoS attacks. These attacks are characterized by the full consumption of one or more resources of ISA Server. From a performance view, there is no difference between a capacity problem and a security problem, because in both cases the performance of ISA Server suffers due to a resource bottleneck. Still, there are many indications that can lead to a conclusion that the source of a performance problem is a security incident.
ISA Server uses various mechanisms to automatically detect and block security incidents that lead to DoS conditions:
-
TCP SYN attacks. Automatic detection and protection.
-
UDP or raw IP flood. Automatic detection and protection by use of per-rule connection quota.
-
Virus or worm propagation. Automatic detection and protection by use of per-IP connection quota.
In these cases, alerts are triggered, enabling the ISA Server administrator to examine the nature and source of the attack, and use preventive measures to eliminate it.
Identifying a DoS or DDoS attack requires input from all monitoring sources:
-
Performance counters show how much a resource is consumed, as well as other numbers that have suspect levels triggering further examination with other sources.
-
ISA Server logs show irregular denial patterns that correlate with a set of ports or IP addresses that are denied access. In most cases, looking at the ISA Server logs provides the necessary information to identify and solve a security incident.
-
Network captures can also show irregular traffic patterns but at the lower network level. Use network captures in cases where ISA Server logs do not provide adequate information.
When identifying a DoS security incident that is not automatically detected and blocked by ISA Server, contact Microsoft Help and Support. |