Home
  •  

The number of denied TCP and non TCP packets per second exceeded the system limit

Microsoft.Forefront.TMG.The_number_of_denied_TCP_and_non_TCP_packets_per_second_exceeded_the_system_limit.Rule (Rule)

This Rule generates alerts when The number of denied TCP and non TCP packets per second exceeded the system limit

Knowledge Base article:

Summary

TMG Server reduced the number of records of denied packets that are written in the log because the number of denied TCP and non-TCP packets per second exceeded the system limit.

Causes

One or many zombie hosts may be attempting an attack against a victim server, but TMG Server blocks the attack traffic.

Resolutions

Query the TMG Server logs to identify the zombie hosts, and then remove the malicious code from them.

External

See the product documentation for more information about TMG Server flood resiliency.

Element properties:

TargetMicrosoft.Forefront.TMG.Server
CategoryEventCollection
EnabledTrue
Alert GenerateFalse
RemotableTrue

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Forefront.TMG.Rule.AlertGenerate.DS Default
WA WriteAction Microsoft.Forefront.TMG.Rule.AlertGenerate.WA Default

Source Code:

<Rule ID="Microsoft.Forefront.TMG.The_number_of_denied_TCP_and_non_TCP_packets_per_second_exceeded_the_system_limit.Rule" Enabled="true" Target="Microsoft.Forefront.TMG.Server" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Microsoft.Forefront.TMG.Rule.AlertGenerate.DS">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Application</LogName>

      <EventsPattern>^(21282)$</EventsPattern>

      <EventType>1</EventType>

      <SourcePattern>[Microsoft Forefront TMG Firewall]|[Microsoft Forefront TMG Control]</SourcePattern>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WA" TypeID="Microsoft.Forefront.TMG.Rule.AlertGenerate.WA">

      <AlertMessageId>$MPElement[Name="Microsoft.Forefront.TMG.The_number_of_denied_TCP_and_non_TCP_packets_per_second_exceeded_the_system_limit.AlertMessage"]$</AlertMessageId>

      <DomainName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/DomainDnsName$</DomainName>

      <Priority>1</Priority>

      <Severity>2</Severity>

    </WriteAction>

  </WriteActions>

</Rule>