This is a warning alarm generated because the "Inbound Rate Limit Discarded IPv6 IPsec Unauthenticated Packets/sec" counter (under the object "IPSec DOS Protection" in the performance monitor tool) exceeded a defined threshold. "Inbound Rate Limit Discarded IPv6 IPsec Unauthenticated Packets/sec" is the rate at which unauthenticated IKEv1, IKEv2, AuthIP, or ESP IPv6 packets are received on a public interface and discarded because they exceed the rate limit for IPv6 IPsec unauthenticated packets per second. An unauthenticated packet is an IPsec packet without an associated state entry. A state entry is a pair of IPv6 addresses that is authorized to pass through from a public to an internal interface. This alarm is cleared when the counter returns to healthy levels.
This is a warning alarm generated because the "Inbound Rate Limit Discarded IPv6 IPsec Unauthenticated Packets/sec" counter (under the object "IPSec DOS Protection" in the performance monitor tool) exceeded a defined threshold. "Inbound Rate Limit Discarded IPv6 IPsec Unauthenticated Packets/sec" is the rate at which unauthenticated IKEv1, IKEv2, AuthIP, or ESP IPv6 packets are received on a public interface and discarded because they exceed the rate limit for IPv6 IPsec unauthenticated packets per second. An unauthenticated packet is an IPsec packet without an associated state entry. A state entry is a pair of IPv6 addresses that is authorized to pass through from a public to an internal interface. This alarm is cleared when the counter returns to healthy levels.
This could be an indication of a Denial of Service (DoS) attack or a spike in the load of the server.
Monitor the server for indications of a DoS attack. If an attack is not detected, raise the threshold setting for this counter to prevent false alarms.
| Target | Network_Security_Class |
| Parent Monitor | System.Health.SecurityState |
| Category | SecurityHealth |
| Enabled | True |
| Instance Name | IPsec DOS Protection |
| Counter Name | Inbound Rate Limit Discarded IPv6 IPsec Unauthenticated Packets/sec |
| Frequency | 300 |
| Alert Generate | False |
| Alert Auto Resolve | True |
| Monitor Type | System.Performance.AverageThreshold |
| Remotable | True |
| Accessibility | Public |
| RunAs | Default |
Home
<UnitMonitor ID="Network_Security_RateLimitDiscardUnAuth" Accessibility="Public" Enabled="true" Target="Network_Security_Class" ParentMonitorID="Health!System.Health.SecurityState" Remotable="true" Priority="Normal" TypeID="Performance!System.Performance.AverageThreshold" ConfirmDelivery="false">
<Category>SecurityHealth</Category>
<OperationalStates>
<OperationalState ID="UnderThreshold" MonitorTypeStateID="UnderThreshold" HealthState="Success"/>
<OperationalState ID="OverThreshold" MonitorTypeStateID="OverThreshold" HealthState="Warning"/>
</OperationalStates>
<Configuration>
<ComputerName>$Target/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<CounterName>Inbound Rate Limit Discarded IPv6 IPsec Unauthenticated Packets/sec</CounterName>
<ObjectName>IPsec DOS Protection</ObjectName>
<InstanceName/>
<AllInstances>false</AllInstances>
<Frequency>300</Frequency>
<Threshold>100</Threshold>
<NumSamples>3</NumSamples>
</Configuration>
</UnitMonitor>