Mike I have no idea what was present on ISA2004 (I'm on 2006 now), but go to Configuration/General part of your array and check the configuration on "Enable Intrusion Detection and DNS Attack Detection" and also "Configure Flood Mitigation Settings". Regards Diego R. Pietruszka From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Keith A. Jones Sent: Monday, January 04, 2010 2:11 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Desperate for some help regarding server attacks from the outside. You should address this problem at the router level, not the server level. Keith ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mike Anderson Sent: Monday, January 04, 2010 1:36 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Desperate for some help regarding server attacks from the outside. Hello All, After looking at all the software add-ons for ISA Server, it seems like the primary focus of these products revolve around monitoring what users within an organization do during the day, like web surfing habits, etc. But what about protection of hosted servers behind the ISA Server, from the masses of external Internet users? We don't have any users sitting behind our ISA Server - we have 8 servers in a secure cabinet collocated at a NOC, with a 20Meg Internet feed. We are using ISA Server in a pure server hosting environment. We have been experiencing many attacks (specifically from Canada) where a user will just pound our website, trying to consume all our bandwidth so there isn't anything left for all our legitimate users. I've seen software packages like Bandwidth Splitter, etc. but again, it's all about throttling users BEHIND the ISA Server to control how much bandwidth they use when they are Internet surfing. We need to throttle the bandwidth to EXTERNAL anonymous users, so they can't affect our system as a whole. I don't know where these people are coming from, but in order to affect our servers like this, they must be performing these attacks from a NOC - where they have access to a T-3 or better... I am just blown away, that a single user out there, can jeopardize our business like this. I wouldn't be surprised if this was a competitor trying to sabotage our business, but we've worked too long and hard, to allow something like this to happen to us. Does anybody have any suggestions for us regarding this problem? I'd be very grateful to hear anybody's thoughts on this whole thing. Just a FYI, we are running ISA Server 2004. Thanks in advance for all your help, Mike