Monitors the packets dropped per second on ISA Server 2006 Firewall.
This monitor checks for Number of denied packets per second. The Expected value is no more than 100.
Indicates either a network misconfiguration or an attack. Use the ISA Server log to identify the actual condition.
Security problems affecting ISA Server performance are DoS and DDoS attacks. These attacks are characterized by the full consumption of one or more resources of ISA Server. From a performance view, there is no difference between a capacity problem and a security problem, because in both cases the performance of ISA Server suffers due to a resource bottleneck. Still, there are many indications that can lead to a conclusion that the source of a performance problem is a security incident.
ISA Server uses various mechanisms to automatically detect and block security incidents that lead to DoS conditions:
TCP SYN attacks. Automatic detection and protection.
UDP or raw IP flood. Automatic detection and protection by use of per-rule connection quota.
Virus or worm propagation. Automatic detection and protection by use of per-IP connection quota.
In these cases, alerts are triggered, enabling the ISA Server administrator to examine the nature and source of the attack, and use preventive measures to eliminate it.
Identifying a DoS or DDoS attack requires input from all monitoring sources:
Performance counters show how much a resource is consumed, as well as other numbers that have suspect levels triggering further examination with other sources.
ISA Server logs show irregular denial patterns that correlate with a set of ports or IP addresses that are denied access. In most cases, looking at the ISA Server logs provides the necessary information to identify and solve a security incident.
Network captures can also show irregular traffic patterns but at the lower network level. Use network captures in cases where ISA Server logs do not provide adequate information.
When identifying a DoS security incident that is not automatically detected and blocked by ISA Server, contact Microsoft Help and Support.