ZyXEL Communications USG FLEX H Series User Manual page 274

The following table describes the labels in this screen.
Table 137 Security Service > Reputation Filter > IP Reputation
LABEL DESCRIPTION
IP Blocking
Enable Select this option to turn on IP blocking on the Zyxel Device. Otherwise, clear it.
Action Set what action the Zyxel Device takes when packets come from or go to an IPv4 address
with bad reputation.
pass: Select this action to have the Zyxel Device allow the packet to go through.
block: Select this action to have the Zyxel Device deny the packets and send a TCP RST to
both the sender and receiver when a packet comes from an IPv4 address with bad
reputation.
Threat Level Select the threshold threat level to which the Zyxel Device will take action (high, medium
Threshold and above, Low and above).
The threat level is determined by the IP reputation engine. It grades IPv4 addresses.
•
•
•
Log These are the log options:
no: Do not create a log when the packet comes from or goes to an IPv4 address with bad
reputation.
log: Create a log on the Zyxel Device when the packet comes from or goes to an IPv4
address with bad reputation.
log alert: An alert is an emailed log for more serious events that may need more immediate
attention. Select this option to have the Zyxel Device send an alert when the packet comes
from or goes to an IPv4 address with bad reputation.
Statistics Enable to have the Zyxel Device collect IP reputation statistics. All of the statistics are erased
if you restart the Zyxel Device or click Flush Data in Security Statistics > Reputation Filter > IP
Reputation.
Types of Cyber Select the categories of packets that come from or go to the Internet and are known to
Threats Coming From pose a security threat to users or their computers.
The Internet
Anonymous These are sites and proxies that act as an intermediary for surfing to other websites in an
Proxies
anonymous fashion, whether to circumvent Web filtering or for other reasons.
Denial of Service These are sites that issue Denial of Service (DoS) attacks, such as DoS, DDoS, SYN flood, and
anomalous traffic detection.
DoS attacks can flood your Internet connection with invalid packets and connection
requests, using so much bandwidth and so many resources that Internet access becomes
unavailable. The goal of DoS attacks is not to steal information, but to disable a device or
network on the Internet.
A Distributed Denial of Service (DDoS) attack is one in which multiple compromised systems
attack a single target, thereby causing denial of service for users of the targeted system.
SYN flood is an attack that attackers flood SYN packets to a server in TCP handshakes, and
not respond with ACK packets on purpose. This keeps the server waiting for attackers'
responses to establish TCP connections, and make the server unavailable.
Anomalous traffic detection could be malicious activities, such as malware outbreaks or
hacking attempts.
Exploits These are sites that distribute exploits or exploit kits to infect website visitors' devices. Exploits
include shellcode, root kits, worms, or viruses that download additional malware to infect
devices. An exploit kit consists of different exploits.
Chapter 17 Reputation Filter
high: An IPv4 address that scores 0 to 20 points.
medium and above: An IPv4 address that scores 0-60 points.
Low and above: An IPv4 address that scores 0-80 points.
USG FLEX H Series User's Guide
274