The Firewall Threshold Screen; Threshold Values - ZyXEL Communications P-660HW-Tx v3 Series User Manual
802.11g wireless adsl2+ 4-port gateway
Hide thumbs
Also See for P-660HW-Tx v3 Series:
- User manual (438 pages) ,
- Support notes (116 pages) ,
- Quick start manual (10 pages)
Table of Contents
Advertisement
Chapter 10 Firewalls
10.4 The Firewall Threshold Screen
For DoS attacks, the ZyXEL Device uses thresholds to determine when to start
dropping sessions that do not become fully established (half-open sessions).
These thresholds apply globally to all sessions.
For TCP, half-open means that the session has not reached the established state-
the TCP three-way handshake has not yet been completed. Under normal
circumstances, the application that initiates a session sends a SYN (synchronize)
packet to the receiving server. The receiver sends back an ACK (acknowledgment)
packet and its own SYN, and then the initiator responds with an ACK
(acknowledgment). After this handshake, a connection is established.
Figure 82 Three-Way Handshake
For UDP, half-open means that the firewall has detected no return traffic. An
unusually high number (or arrival rate) of half-open sessions could indicate a DOS
attack.
10.4.1 Threshold Values
If everything is working properly, you probably do not need to change the
threshold settings as the default threshold values should work for most small
offices. Tune these parameters when you believe the ZyXEL Device has been
receiving DoS attacks that are not recorded in the logs or the logs show that the
ZyXEL Device is classifying normal traffic as DoS attacks. Factors influencing
choices for threshold values are:
The maximum number of opened sessions.
1
The minimum capacity of server backlog in your LAN network.
2
The CPU power of servers in your LAN network.
3
Network bandwidth.
4
202
P-660HW-Tx v3 Series User's Guide
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
