If that much bandwidth is being eaten up, it should be trivial to find the offending IP(s) and block them - this would be best done at the provider's border routers, of course, if they offer this service. I doubt you can do this, but I generally block all traffic from China altogether, and all SMTP from Russia; I also had a standing rule to block all TCP 135 traffic from Canada but then changed it as it was all dropping anyway since I had not allowed it in the first place. Do you have any information about what the traffic itself is? t From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Monday, January 04, 2010 10:51 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Desperate for some help regarding server attacks from the outside. Not a lot you can do about that except get the IP that's doing it traced & blocked & inform the authorities.... From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mike Anderson Sent: Monday, January 04, 2010 2:40 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Desperate for some help regarding server attacks from the outside. Hello All, After looking at all the software add-ons for ISA Server, it seems like the primary focus of these products revolve around monitoring what users within an organization do during the day, like web surfing habits, etc. But what about protection of hosted servers behind the ISA Server, from the masses of external Internet users? We don't have any users sitting behind our ISA Server - we have 8 servers in a secure cabinet collocated at a NOC, with a 20Meg Internet feed. We are using ISA Server in a pure server hosting environment. We have been experiencing many attacks (specifically from Canada) where a user will just pound our website, trying to consume all our bandwidth so there isn't anything left for all our legitimate users. I've seen software packages like Bandwidth Splitter, etc. but again, it's all about throttling users BEHIND the ISA Server to control how much bandwidth they use when they are Internet surfing. We need to throttle the bandwidth to EXTERNAL anonymous users, so they can't affect our system as a whole. I don't know where these people are coming from, but in order to affect our servers like this, they must be performing these attacks from a NOC - where they have access to a T-3 or better... I am just blown away, that a single user out there, can jeopardize our business like this. I wouldn't be surprised if this was a competitor trying to sabotage our business, but we've worked too long and hard, to allow something like this to happen to us. Does anybody have any suggestions for us regarding this problem? I'd be very grateful to hear anybody's thoughts on this whole thing. Just a FYI, we are running ISA Server 2004. Thanks in advance for all your help, Mike