Home
  •  

The non TCP connection limit for a specific IP address was exceeded

Microsoft.Forefront.TMG.The_non_TCP_connection_limit_for_a_specific_IP_address_was_exceeded.Rule (Rule)

This Rule generates alerts when The non TCP connection limit for a specific IP address was exceeded

Knowledge Base article:

Summary

TMG Server disconnected the oldest non-TCP session from a specific IP address because the connection limit that restricts the number of concurrent non-TCP sessions allowed from a single IP address was exceeded.

Causes

This IP address may belong to an infected host, or an attacker may be using this spoofed IP address to attack the TMG Server computer or other hosts behind the TMG Server computer.

Resolutions

Clean the client computer with this IP address if it is infected, or add the IP address to the list of computers that use the custom connection limits if this IP address belongs to a server or to a chained proxy server.

External

See the product documentation for more information about TMG Server flood resiliency.

Element properties:

TargetMicrosoft.Forefront.TMG.Server
CategoryEventCollection
EnabledTrue
Alert GenerateFalse
RemotableTrue

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Forefront.TMG.Rule.AlertGenerate.DS Default
WA WriteAction Microsoft.Forefront.TMG.Rule.AlertGenerate.WA Default

Source Code:

<Rule ID="Microsoft.Forefront.TMG.The_non_TCP_connection_limit_for_a_specific_IP_address_was_exceeded.Rule" Enabled="true" Target="Microsoft.Forefront.TMG.Server" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Microsoft.Forefront.TMG.Rule.AlertGenerate.DS">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Application</LogName>

      <EventsPattern>^(15113)$</EventsPattern>

      <EventType>2</EventType>

      <SourcePattern>Microsoft Forefront TMG Firewall</SourcePattern>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WA" TypeID="Microsoft.Forefront.TMG.Rule.AlertGenerate.WA">

      <AlertMessageId>$MPElement[Name="Microsoft.Forefront.TMG.The_non_TCP_connection_limit_for_a_specific_IP_address_was_exceeded.AlertMessage"]$</AlertMessageId>

      <DomainName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/DomainDnsName$</DomainName>

      <Priority>1</Priority>

      <Severity>2</Severity>

    </WriteAction>

  </WriteActions>

</Rule>