P312 Broadband Security Gateway

You can use the default threshold values, or you can change them to values more suitable to your security requirements.

15.4.1 Threshold Values:

You really just need to tune these parameters when something is not working and after you have checked the firewall counters. These default values should work fine for normal small offices with ADSL bandwidth. Factors influencing choices for threshold values are:

1.The maximum number of opened sessions.

2.The minimum capacity of server backlog in your LAN network.

3.The CPU power of servers in your LAN network.

4.Network bandwidth

5.Type of traffic for certain servers.

If any of these factors are below average for your network (especially if you have servers which are slow or handle many tasks and are often busy), then the default values should be reduced.

You should make any changes to the threshold values before you continue configuring firewall rules.

15.4.2 Half-Open Sessions

An unusually high number of half-open sessions (either an absolute number or measured as the arrival rate) could indicate that a Denial of Service attack is occurring. For TCP, "half-open" means that the session has not reached the established state--the TCP three-way handshake has not yet been completed (see Figure 13-2). For UDP, "half-open" means that the firewall has detected no return traffic.

The Prestige measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.

When the number of existing half-open sessions rises above a threshold (max-incomplete high), the Prestige starts deleting half-open sessions as required to accommodate new connection requests. The Prestige continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (max-incomplete low).

When the rate of new connection attempts rises above a threshold (one-minute high), the Prestige starts deleting half-open sessions as required to accommodate new connection requests. The Prestige continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (one-minute low). The rate is the number of new attempts detected in the last one-minute sample period.

TCP Maximum Incomplete And Blocking Time

An unusually high number of half-open sessions with the same destination host address could indicate that a Denial of Service attack is being launched against the host.

Whenever the number of half-open sessions with the same destination host address rises above a threshold (TCP Maximum Incomplete), the Prestige starts deleting half-open sessions according to one of the following methods:

1.If the Blocking Time timeout is 0 (the default):

15-8

Introducing the Prestige Web Configurator

Page 176
Image 176
ZyXEL Communications P-312 manual Threshold Values, Half-Open Sessions, TCP Maximum Incomplete And Blocking Time