How to filter ANY attacks (DNS Amplification Attack)


im receiving about average 600 DNS Requests per minute - all with the same (forged) source address and content ( any).

How can i configure TMG to block this traffic? I would like to create rules that would look something like that:

"Filter dns where query contains" or "limit udp traffic for port 53 to 100 packets / minute / ip"


November 6th, 2012 2:20pm


Thank you for the post.

In TMG you can configure Flood Mitigation which enables intrusion detection to prevent some kinds of attack.

Protecting against DNS and other attacks

Setting flood mitigation connection limits


Free Windows Admin Tool Kit Click here and download it now
November 7th, 2012 9:53am

I already found this options (afaik they are enabled by default) and tried different settings but that didn't block this type of DNS requests.
November 7th, 2012 10:56am


Thank you for the update.

As far as I know, you cannot customize you own connection limit settings, however you can edit the build-in option Maximum concurrent UDP sessions per IP address.


Free Windows Admin Tool Kit Click here and download it now
November 12th, 2012 5:39am

0 down vote

I dont know if you ever found a solution to this? I didn't so I have written my own UDP packet filter that is presented as a Windows Service (64bit although I can provide a 32bit version if necessary).

Its configurable so multiple domains can be specified in the filter but I only have a problem with from botnets participating in the DNS Reflection/Ampflication attack.

Although I cannot erradicate the inital 50-64 byte request, the filter drops the that request before the DNS server receives and processes it, saving up to 140GB/month in upload bandwidth on my connection.

If you (or anybody else is interested) please contact me at

June 28th, 2013 3:39pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics