Threshold Values - ZyXEL Communications ZyWALL 5 User Manual

10.10.1

Threshold Values

Tune these parameters when something is not working and after you have checked the firewall
counters. These default values should work fine for normal small offices with ADSL bandwidth.
Factors influencing choices for threshold values are:
1. The maximum number of opened sessions.
2. The minimum capacity of server backlog in your LAN network.
3. The CPU power of servers in your LAN network.
4. Network bandwidth.
5. Type of traffic for certain servers.
If your network is slower than average for any of these factors (especially if you have servers that are
slow or handle many tasks and are often busy), then the default values should be reduced.
You should make any changes to the threshold values before you continue configuring firewall rules.
10.10.2 Half-Open Sessions
An unusually high number of half-open sessions (either an absolute number or measured as the arrival
rate) could indicate that a Denial of Service attack is occurring. For TCP, "half-open" means that the
session has not reached the established state-the TCP three-way handshake has not yet been completed
(see Figure 9-2). For UDP, "half-open" means that the firewall has detected no return traffic.
The ZyWALL measures both the total number of existing half-open sessions and the rate of session
establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and
rate measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (max-incomplete high), the
ZyWALL starts deleting half-open sessions as required to accommodate new connection requests. The
ZyWALL continues to delete half-open requests as necessary, until the number of existing half-open
sessions drops below another threshold (max-incomplete low).
When the rate of new connection attempts rises above a threshold (one-minute high), the ZyWALL
starts deleting half-open sessions as required to accommodate new connection requests. The ZyWALL
continues to delete half-open sessions as necessary, until the rate of new connection attempts drops
below another threshold (one-minute low). The rate is the number of new attempts detected in the last
one-minute sample period.
TCP Maximum Incomplete and Blocking Time
An unusually high number of half-open sessions with the same destination host address could indicate
that a Denial of Service attack is being launched against the host.
Whenever the number of half-open sessions with the same destination host address rises above a
threshold (TCP Maximum Incomplete), the ZyWALL starts deleting half-open sessions according to
one of the following methods:
1. If the Blocking Time timeout is 0 (the default), then the ZyWALL deletes the oldest existing half-
open session for the host for every new connection request to the host. This ensures that the
number of half-open sessions to a given host will never exceed the threshold.
2. If the Blocking Time timeout is greater than 0, then the ZyWALL blocks all new connection
requests to the host giving the server time to handle the present connections. The ZyWALL
continues to block all new connection requests until the Blocking Time expires.
Firewall Screens
ZyWALL 5 Internet Security Appliance
10-19