Threshold Values; Half-Open Sessions - ZyXEL Communications Internet Security Appliance ZyWALL5UTM 4.0 User Manual

ZyWALL 5/35/70 Series User's Guide
11.10 Firewall Threshold
In the Threshold screen, shown later, you may choose to generate an alert whenever an attack
is detected. For DoS attacks, the ZyWALL uses thresholds to determine when to drop sessions
that do not become fully established. These thresholds apply globally to all sessions.
You can use the default threshold values, or you can change them to values more suitable to
your security requirements.

11.10.1 Threshold Values

Tune these parameters when the ZyWALL is under DoS attacks and after you have checked
the firewall logs. These default values should work fine for normal small offices with ADSL
bandwidth. Factors influencing choices for threshold values are:
1 The maximum number of opened sessions.
2 The minimum capacity of server backlog in your LAN network.
3 The CPU power of servers in your LAN network.
4 Network bandwidth.
5 Type of traffic for certain servers.
If your network is slower than average for any of these factors (especially if you have servers
that are slow or handle many tasks and are often busy), then the default values should be
reduced.
If you use P2P applications such as file sharing with eMule or eDonkey quite often, it's
recommended that you increase the threshold values since lots of sessions will be established
during a small period of time and the ZyWALL may take them as DoS attacks.

11.10.2 Half-Open Sessions

For TCP, half-open means that the session has not reached the established state-the TCP three-
way handshake has not yet been completed (see
means that the firewall has detected no return traffic. An unusually high number of half-open
sessions (either an absolute number or measured as the arrival rate) could indicate that a
Denial of Service attack is occurring.
The ZyWALL measures both the total number of existing half-open sessions and the rate of
session establishment attempts. Both TCP and UDP half-open sessions are counted in the total
number and rate measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (max-incomplete
high), the ZyWALL starts deleting half-open sessions as required to accommodate new
connection requests. The ZyWALL continues to delete half-open requests as necessary, until
the number of existing half-open sessions drops below another threshold (max-incomplete
low).
223
Figure 90 on page 201). For UDP, half-open
Chapter 11 Firewall Screens