15.8.2 Half-Open SessionsAn unusually high number of half-open sessions (either an absolute number or measured as the arrival rate) could indicate that a Denial of Service attack is occurring. For TCP, "half- open" means that the session has not reached the established state-the TCP three-way handshake has not yet been completed (see Figure 136 on page 236). For UDP, "half-open" means that the firewall has detected no return traffic.
The ZyXEL Device measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (max-incomplete high), the ZyXEL Device starts deleting half-open sessions as required to accommodate new connection requests. The ZyXEL Device continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (max- incomplete low).
When the rate of new connection attempts rises above a threshold (one-minute high), the ZyXEL Device starts deleting half-open sessions as required to accommodate new connection requests. The ZyXEL Device continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (one-minute low). The rate is the number of new attempts detected in the last one-minute sample period.
15.8.2.1 TCP Maximum Incomplete and Blocking Time
An unusually high number of half-open sessions with the same destination host address could indicate that a Denial of Service attack is being launched against the host.
Whenever the number of half-open sessions with the same destination host address rises above
athreshold (TCP Maximum Incomplete), the ZyXEL Device starts deleting half-open sessions according to one of the following methods:
•If the Blocking Time timeout is 0 (the default), then the ZyXEL Device deletes the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold.
•If the Blocking Time timeout is greater than 0, then the ZyXEL Device blocks all new connection requests to the host giving the server time to handle the present connections. The ZyXEL Device continues to block all new connection requests until the Blocking Time expires.
15.8.3Configuring Firewall ThresholdsThe ZyXEL Device also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold and timeout apply to all TCP connections.
Click Firewall, and Threshold to bring up the next screen.
