You increase the Maximum concurrent UDP sessions per IP address flood mitigation setting significantly on a server that is running Microsoft Forefront Threat Management Gateway 2010.
Many clients in the exception list send lots of UDP packets to the Threat Management Gateway server.
In this scenario, you may experience an increase in the number of backlogged packets that are waiting to be processed. This could cause the queue of UDP traffic to lead to other alerts, such as a "SYN Attack" being triggered.
Note You can monitor the number of backlogged packets by looking at the following Performance Monitor counter:
Forefront TMG Firewall Packet Engine
A increase in the number of backlogged packets occurs because of a performance bottleneck when new firewall sessions are created.
To resolve this issue, install the hotfix package that is described in the following Microsoft Knowledge Base article:
2649961 Rollup 1 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information about flood mitigation, visit the following Microsoft TechNet website:
Microsoft Forefront Threat Management Gateway 2010 Enterprise, Microsoft Forefront Threat Management Gateway 2010 Service Pack 1, Microsoft Forefront Threat Management Gateway 2010 Service Pack 2, Microsoft Forefront Threat Management Gateway 2010 Standard