Table 55 Security > Firewall > Threshold - ZyXEL Communications ZYWALL 2 PLUS User Manual

Chapter 11 Firewall
The following table describes the labels in this screen.
Table 55 SECURITY > FIREWALL > Threshold
LABEL
Disable DoS Attack
Protection on
Denial of Service
Thresholds
One Minute Low
One Minute High
Maximum
Incomplete Low
Maximum
Incomplete High
TCP Maximum
Incomplete
Action taken when
TCP Maximum
Incomplete
reached threshold
Apply
Reset
202
DESCRIPTION
Select the check boxes of any interfaces (or all VPN tunnels) for which you want
the ZyWALL to not use the Denial of Service protection thresholds. This disables
DoS protection on the selected interface (or all VPN tunnels).
You may want to disable DoS protection for an interface if the ZyWALL is treating
valid traffic as DoS attacks. Another option would be to raise the thresholds.
The ZyWALL measures both the total number of existing half-open sessions and
the rate of session establishment attempts. Both TCP and UDP half-open
sessions are counted in the total number and rate measurements. Measurements
are made once a minute.
This is the rate of new half-open sessions per minute that causes the firewall to
stop deleting half-open sessions. The ZyWALL continues to delete half-open
sessions as necessary, until the rate of new connection attempts drops below this
number.
This is the rate of new half-open sessions per minute that causes the firewall to
start deleting half-open sessions. When the rate of new connection attempts rises
above this number, the ZyWALL deletes half-open sessions as required to
accommodate new connection attempts.
For example, if you set the one minute high to 100, the ZyWALL starts deleting
half-open sessions when more than 100 session establishment attempts have
been detected in the last minute. It stops deleting half-open sessions when the
number of session establishment attempts detected in a minute goes below the
number set as the one minute low.
This is the number of existing half-open sessions that causes the firewall to stop
deleting half-open sessions. The ZyWALL continues to delete half-open requests
as necessary, until the number of existing half-open sessions drops below this
number.
This is the number of existing half-open sessions that causes the firewall to start
deleting half-open sessions. When the number of existing half-open sessions
rises above this number, the ZyWALL deletes half-open sessions as required to
accommodate new connection requests. Do not set Maximum Incomplete High
to lower than the current Maximum Incomplete Low number.
For example, if you set the maximum incomplete high to 100, the ZyWALL starts
deleting half-open sessions when the number of existing half-open sessions rises
above 100. It stops deleting half-open sessions when the number of existing half-
open sessions drops below the number set as the maximum incomplete low.
An unusually high number of half-open sessions with the same destination host
address could indicate that a DoS attack is being launched against the host.
Specify the number of existing half-open TCP sessions with the same destination
host IP address that causes the firewall to start dropping half-open sessions to
that same destination host IP address. Enter a number between 1 and 256. As a
general rule, you should choose a smaller number for a smaller network, a slower
system or limited bandwidth. The ZyWALL sends alerts whenever the TCP
Maximum Incomplete is exceeded.
Select the action that ZyWALL should take when the TCP maximum incomplete
threshold is reached. You can have the ZyWALL either:
Delete the oldest half open session when a new connection request comes.
or
Deny new connection requests for the number of minutes that you specify
(between 1 and 255).
Click Apply to save your changes back to the ZyWALL.
Click Reset to begin configuring this screen afresh.
ZyWALL 2 Plus User's Guide