Protection - Planet BM-2002 User Manual

¨
Enable: Enable or disable this schedule.
¨
Save/Cancel: Press "Save" button to save all the configurations and "Cancel" button to discard your
configurations.

4.2.2 Protection

The Bandwidth Manager provides extended capabilities for filtering out any malicious attacks based on TCP,
UDP, or ICMP protocols. This greatly improves the security of your bandwidth, and guarantees that such
attacks will not disrupt the normal operation of your systems. While filtering out detected malicious traffic, your
network will be able to operate normally.
¨
Deny SYN Flood: TCP SYN Flood is one kind of attack that an attacker makes connection requests
aimed at the victim device with packets with unreachable source addresses. The device is not able to
complete the connection requests and, as a result, the device wastes all of its network resources,
resulting in shutting down a device. By defining a SYN attack threshold, the bandwidth manager allows
only the certain number of packets with unreachable source addresses each second.
¨
UDP Flood Attack: UDP is a connectionless protocol and it does not require any connection setup
procedure to transfer data. An UDP Flood Attack is possible when an attacker sends a UDP packet to a
random port on the victim device. When the victim device receives an UDP packet, it will determine what
application is waiting on the destination port. When it realizes that there is no application that is waiting
on the port, it will generate an ICMP packet of destination unreachable to the forged source address. If
enough UDP packets are delivered to ports on victim, the device will go down. By defining a UDP flood
threshold, the bandwidth manager allows only the certain number of destination unreachable UDP
packets each second.
¨
ICMP Flood Attack: An ICMP flood is usually accomplished by broadcasting either a bunch of pings or
UDP packets. The idea is, to send so much data to your system, that it slows you down so much that
you're disconnected from IRC due to a ping timeout. By defining a ICMP flood attack threshold, the
bandwidth manager allows only the certain number of ICMP packets each second.
¨
Deny Port Scan: Most attackers will first scan all port of the victim to know which services are running
and then determined how to attack. Deny port scan will make hacker much hard to attack your internal
LAN.
¨
Circumventing Path MTU Discovery with MSS Clamping(for ADSL, cable, PPPoE): An Ethernet
packet provides maximum 1460 bytes payload. However, not all parts of the Internet support full 1460
bytes of payload per packet. It is therefore necessary to try and find the largest packet that will 'fit', in
order to optimize a connection. This process is called 'Path MTU Discovery', where MTU stands for
'Maximum Transfer Unit.' However, Path MTU Discovery is not always working. MSS (Maximum
BM-2002 Bandwidth Manager User's Manual
- 23 -