ZyXEL Communications ZyWALL5UTM 4.0 11.10 Firewall Threshold, 11.10.1 Threshold Values, 11.10.2 Half-OpenSessions, low, high, Threshold, max-incomplete, max-incomplete

ZyWALL 5/35/70 Series User’s Guide

11.10 Firewall Threshold

In the Threshold screen, shown later, you may choose to generate an alert whenever an attack is detected. For DoS attacks, the ZyWALL uses thresholds to determine when to drop sessions that do not become fully established. These thresholds apply globally to all sessions.

You can use the default threshold values, or you can change them to values more suitable to your security requirements.

11.10.1 Threshold Values

Tune these parameters when the ZyWALL is under DoS attacks and after you have checked the firewall logs. These default values should work fine for normal small offices with ADSL bandwidth. Factors influencing choices for threshold values are:

1The maximum number of opened sessions.

2The minimum capacity of server backlog in your LAN network.

3The CPU power of servers in your LAN network.

4Network bandwidth.

5Type of traffic for certain servers.

If your network is slower than average for any of these factors (especially if you have servers that are slow or handle many tasks and are often busy), then the default values should be reduced.

If you use P2P applications such as file sharing with eMule or eDonkey quite often, it’s recommended that you increase the threshold values since lots of sessions will be established during a small period of time and the ZyWALL may take them as DoS attacks.

11.10.2 Half-Open Sessions

For TCP, half-open means that the session has not reached the established state-the TCP three- way handshake has not yet been completed (see Figure 90 on page 201). For UDP, half-open means that the firewall has detected no return traffic. An unusually high number of half-open sessions (either an absolute number or measured as the arrival rate) could indicate that a Denial of Service attack is occurring.

The ZyWALL measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.

When the number of existing half-open sessions rises above a threshold (max-incomplete high), the ZyWALL starts deleting half-open sessions as required to accommodate new connection requests. The ZyWALL continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (max-incomplete low).