Home
  •  

DoS Attack Check

Microsoft.Windows.RemoteAccess.2012.R2.Monitor.DA_DOSP_HEURISTIC_DOS_ATTACK (UnitMonitor)

Check to verify if a DoS attack is underway

Knowledge Base article:

Summary

A Denial of Service (DoS) attack might be underway.

Causes

1. IPsec has entered a DoS condition. This might indicate a DoS attack or a spike in the server load.

2. A high percentage of traffic was dropped because it failed security validation, and might constitute a potential attack on the server.

3. A large number of Security Associations (SAs) have failed negotiations.

Resolutions

A Denial of Service (DoS) attack might be underway. Take steps to mitigate the possible attack.

Element properties:

TargetMicrosoft.Windows.RemoteAccess.2012.R2.Class.NetworkSecurity
Parent MonitorSystem.Health.SecurityState
CategoryCustom
EnabledTrue
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeMicrosoft.Windows.RemoteAccess.2012.R2.Monitor.HeuristicMonitorType
RemotableTrue
AccessibilityPublic
Alert Message
Potential DoS attack

Error Description - {0}
Error Cause - {1}
Error Resolution - {2}
RunAsDefault

Source Code:

<UnitMonitor ID="Microsoft.Windows.RemoteAccess.2012.R2.Monitor.DA_DOSP_HEURISTIC_DOS_ATTACK" Accessibility="Public" Enabled="true" Target="Microsoft.Windows.RemoteAccess.2012.R2.Class.NetworkSecurity" ParentMonitorID="Health!System.Health.SecurityState" Remotable="true" Priority="Normal" TypeID="Microsoft.Windows.RemoteAccess.2012.R2.Monitor.HeuristicMonitorType" ConfirmDelivery="true">

  <Category>Custom</Category>

  <AlertSettings AlertMessage="Microsoft.Windows.RemoteAccess.2012.R2.Monitor.DA_DOSP_HEURISTIC_DOS_ATTACK_AlertMessageResourceID">

    <AlertOnState>Warning</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Error</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Data/Context/DataItem/Property[@Name='ErrorDesc']$</AlertParameter1>

      <AlertParameter2>$Data/Context/DataItem/Property[@Name='ErrorCause']$</AlertParameter2>

      <AlertParameter3>$Data/Context/DataItem/Property[@Name='ErrorResolution']$</AlertParameter3>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="UIGeneratedOpStateId737cf8448d424e9cb45d482db8429aa7" MonitorTypeStateID="Error" HealthState="Error"/>

    <OperationalState ID="UIGeneratedOpStateId15056a17fb4141da99b3c97097d81d88" MonitorTypeStateID="Warning" HealthState="Warning"/>

    <OperationalState ID="UIGeneratedOpStateId01f181b0a0ce4f8cb3fc52cae28b656e" MonitorTypeStateID="Healthy" HealthState="Success"/>

  </OperationalStates>

  <Configuration>

    <Interval>300</Interval>

    <SyncTime/>

    <ComponentName>Network Security</ComponentName>

    <HeuristicId>2147745796</HeuristicId>

  </Configuration>

</UnitMonitor>