P312 Broadband Security Gateway
15-8 Introducing the Prestige Web Configurator
You can use the default threshold values, or you can change them to values more suitable to your security
requirements.
15.4.1 Threshold Values:
You really just need to tune these parameters when something is not working and after you have checked the
firewall counters. These default values should work fine for normal small offices with ADSL bandwidth.
Factors influencing choices for threshold values are:
1. The maximum number of opened sessions.
2. The minimum capacity of server backlog in your LAN network.
3. The CPU power of servers in your LAN network.
4. Network bandwidth
5. Type of traffic for certain servers.
If any of these factors are below average for your network (especially if you have servers which are slow or
handle many tasks and are often busy), then the default values should be reduced.
You should make any changes to the threshold values before you continue configuring firewall rules.
15.4.2 Half-Open Sessions
An unusually high number of half-open sessions (either an absolute number or measured as the arrival rate)
could indicate that a Denial of Service attack is occurring. For TCP, "half-open" means that the session has
not reached the established state--the TCP three-way handshake has not yet been completed (see Figure
13-2). For UDP, "half-open" means that the firewall has detected no return traffic.
The Prestige measures both the total number of existing half-open sessions and the rate of session
establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate
measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (max-incomplete high), the Prestige
starts deleting half-open sessions as required to accommodate new connection requests. The Prestige
continues to delete half-open requests as necessary, until the number of existing half-open sessions drops
below another threshold (max-incomplete low).
When the rate of new connection attempts rises above a threshold (one-minute high), the Prestige starts
deleting half-open sessions as required to accommodate new connection requests. The Prestige continues to
delete half-open sessions as necessary, until the rate of new connection attempts drops below another
threshold (one-minute low). The rate is the number of new attempts detected in the last one-minute sample
period.
TCP Maximum Incomplete And Blocking Time
An unusually high number of half-open sessions with the same destination host address could indicate that a
Denial of Service attack is being launched against the host.
Whenever the number of half-open sessions with the sa me destination host address rises above a threshold
(TCP Maximu m Incomplet e), the Prestige starts deleting half-open sessions according to one of the
following methods:
1. If the Blocking Time timeout is 0 (the default):