Table of Contents
Advertisement
190 Chapter 11 Firewall screens
Configuring attack alert
Attack alerts are the first defense against DOS attacks. In the Attack Alert screen
(Figure
For DoS attacks, the Business Secure Router uses thresholds to determine when to
drop sessions that do not become fully established. These thresholds apply
globally to all sessions.
You can use the default threshold values, or you can change them to values more
suitable to your security requirements.
Threshold values
Tune these parameters when something is not working and after you have checked
the firewall counters. These default values work fine for normal, small offices
with ADSL bandwidth. Factors influencing choices for threshold values are:
•
•
•
•
•
If your network is slower than average for any of these factors (especially if you
have servers that are slow or handle many tasks and are often busy), then the
default values must be reduced.
You must make any changes to the threshold values before you continue
configuring firewall rules.
Half-open sessions
An unusually high number of half-open sessions (either an absolute number or
measured as the arrival rate) indicates that a Denial of Service attack is occurring.
For TCP, half-open means that the session has not reached the established state,
and the TCP three-way handshake has not yet been completed (see
UDP, half-open means that the firewall has detected no return traffic.
NN47923-500
61) you can choose to generate an alert whenever an attack is detected.
The maximum number of opened sessions
The minimum capacity of server backlog in your LAN network
The CPU power of servers in your LAN network
Network bandwidth
Type of traffic for certain servers
Figure
46). For
Advertisement
Table of Contents
Troubleshooting
