The number of TCP connections allowed from a specific source IP address exceeded the configured limit - Microsoft.ISAServer.2006.The_number_of_TCP_connections_allowed_from_a_specific_source_IP_address_exceeded_the_configured

Microsoft.ISAServer.2006.The_number_of_TCP_connections_allowed_from_a_specific_source_IP_address_exceeded_the_configured_limit.Rule (Rule)

This Rule generates alerts when The number of TCP connections allowed from a specific source IP address exceeded the configured limit

Knowledge Base article:

Summary

ISA Server will not allow the creation of new TCP connections from a specific source IP address during a system-defined time period because the connection limit that restricts the number of TCP connections per minute from a single IP address was exceeded. By default, the time period during which no new TCP connections are created from a specific IP address is 1 min.

Causes

This IP address may belong to a host that is infected by a worm and is attempting to propagate the worm by scanning the network to find other vulnerable hosts.

Resolutions

Clean the client computer with this IP address if it is infected. If an excessive connection rate is legitimate, for example when the client computer is a server or a proxy that acts on behalf of many client computers, add the IP address to the list of computers that use the custom connection limitsClean the client computer with this IP address if it is infected, or add the IP address to the list of computers that use the custom connection limits if this IP address belongs to a server that generates a high rate of traffic.

External

See the product documentation for more information about ISA Server flood resiliency.

Element properties:

Target	Microsoft.ISAServer.2006.ServerRole
Category	EventCollection
Enabled	True
Alert Generate	False
Remotable	True

Member Modules:

ID	Module Type	TypeId	RunAs
DS	DataSource	Microsoft.ISAServer.2006.Rule.AlertGenerate.DS	Default
WA	WriteAction	Microsoft.ISAServer.2006.Rule.AlertGenerate.WA	Default

Module Type

TypeId

RunAs

DataSource

Microsoft.ISAServer.2006.Rule.AlertGenerate.DS

Default

WriteAction

Microsoft.ISAServer.2006.Rule.AlertGenerate.WA

Default

Source Code:

<Rule ID="Microsoft.ISAServer.2006.The_number_of_TCP_connections_allowed_from_a_specific_source_IP_address_exceeded_the_configured_limit.Rule" Enabled="onEssentialMonitoring" Target="Microsoft.ISAServer.2006.ServerRole" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100"> <Category>EventCollection</Category> <DataSources> <DataSource ID="DS" TypeID="Microsoft.ISAServer.2006.Rule.AlertGenerate.DS"> <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName> <LogName>Application</LogName> <EventsPattern>^(15120)$</EventsPattern> <EventType>2</EventType> <SourcePattern>Microsoft Firewall</SourcePattern> </DataSource> </DataSources> <WriteActions> <WriteAction ID="WA" TypeID="Microsoft.ISAServer.2006.Rule.AlertGenerate.WA"> <AlertMessageId>$MPElement[Name="Microsoft.ISAServer.2006.The_number_of_TCP_connections_allowed_from_a_specific_source_IP_address_exceeded_the_configured_limit.AlertMessage"]$</AlertMessageId> <DomainName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/DomainDnsName$</DomainName> <Priority>1</Priority> <Severity>2</Severity> </WriteAction> </WriteActions> </Rule>