Home
  •  

The number of denied connections from a specific source IP address exceeded the configured limit

Microsoft.ISAServer.2006.The_number_of_denied_connections_from_a_specific_source_IP_address_exceeded_the_configured_limit.Rule (Rule)

This Rule generates alerts when The number of denied connections from a specific source IP address exceeded the configured limit

Knowledge Base article:

Summary

ISA Server reduced the number of records of denied packets that are written in the log because the number of denied TCP and non-TCP packets per second exceeded the system limit.

Causes

One or many zombie hosts may be attempting an attack against a victim server, but ISA Server blocks the attack traffic.

Resolutions

Query the ISA Server logs to identify the zombie hosts, and then remove the malicious code from them.

External

See the product documentation for more information about ISA Server flood resiliency.

Element properties:

TargetMicrosoft.ISAServer.2006.ServerRole
CategoryEventCollection
EnabledTrue
Alert GenerateFalse
RemotableTrue

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.ISAServer.2006.Rule.AlertGenerate.DS Default
WA WriteAction Microsoft.ISAServer.2006.Rule.AlertGenerate.WA Default

Source Code:

<Rule ID="Microsoft.ISAServer.2006.The_number_of_denied_connections_from_a_specific_source_IP_address_exceeded_the_configured_limit.Rule" Enabled="onEssentialMonitoring" Target="Microsoft.ISAServer.2006.ServerRole" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Microsoft.ISAServer.2006.Rule.AlertGenerate.DS">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Application</LogName>

      <EventsPattern>^(21284)$</EventsPattern>

      <EventType>1</EventType>

      <SourcePattern>Microsoft Firewall</SourcePattern>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WA" TypeID="Microsoft.ISAServer.2006.Rule.AlertGenerate.WA">

      <AlertMessageId>$MPElement[Name="Microsoft.ISAServer.2006.The_number_of_denied_connections_from_a_specific_source_IP_address_exceeded_the_configured_limit.AlertMessage"]$</AlertMessageId>

      <DomainName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/DomainDnsName$</DomainName>

      <Priority>1</Priority>

      <Severity>2</Severity>

    </WriteAction>

  </WriteActions>

</Rule>