Publishing Skype for Business to the Internet exposes your network to DoS (Denial-ofService) and DDoS (Distributed-Denial-of-Service) attacks.
These attacks can cause your network to become unavailable and result in significant damage to your business.
SkypeShield counts failed attempts to sign in to AD and once they reach a certain threshold, SkypeShield blocks further requests from reaching application servers.
The count is shared between the SkypeShield components including Bastion and the Edge filter.
Note:
On some mobile devices OS (i.e. Android and Windows Phones) Lync client resends login request after the failure of the first attempt with the same (incorrect) credentials. In these cases, a soft lock may occur earlier than expected.