Threshold Values; Half-Open Sessions; Tcp Maximum Incomplete And Blocking Time - ZyXEL Communications ZyWall 35 User Manual
Internet security appliance
Hide thumbs
Also See for ZyWall 35:
- User manual (872 pages) ,
- Support notes (335 pages) ,
- Quick start manual (142 pages)
Table of Contents
Advertisement
ZyWALL 35 User's Guide
10.10.1 Threshold Values
Tune these parameters when something is not working and after you have checked the firewall
counters. These default values should work fine for normal small offices with ADSL
bandwidth. Factors influencing choices for threshold values are:
1 The maximum number of opened sessions.
2 The minimum capacity of server backlog in your LAN network.
3 The CPU power of servers in your LAN network.
4 Network bandwidth.
5 Type of traffic for certain servers.
If your network is slower than average for any of these factors (especially if you have servers
that are slow or handle many tasks and are often busy), then the default values should be
reduced.
You should make any changes to the threshold values before you continue configuring
firewall rules.
10.10.2 Half-Open Sessions
For TCP, half-open means that the session has not reached the established state-the TCP three-
way handshake has not yet been completed
means that the firewall has detected no return traffic. An unusually high number of half-open
sessions (either an absolute number or measured as the arrival rate) could indicate that a
Denial of Service attack is occurring.
The ZyWALL measures both the total number of existing half-open sessions and the rate of
session establishment attempts. Both TCP and UDP half-open sessions are counted in the total
number and rate measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (max-incomplete
high), the ZyWALL starts deleting half-open sessions as required to accommodate new
connection requests. The ZyWALL continues to delete half-open requests as necessary, until
the number of existing half-open sessions drops below another threshold (max-incomplete
low).
When the rate of new connection attempts rises above a threshold (one-minute high), the
ZyWALL starts deleting half-open sessions as required to accommodate new connection
requests. The ZyWALL continues to delete half-open sessions as necessary, until the rate of
new connection attempts drops below another threshold (one-minute low). The rate is the
number of new attempts detected in the last one-minute sample period.
10.10.2.1 TCP Maximum Incomplete and Blocking Time
An unusually high number of half-open sessions with the same destination host address could
indicate that a Denial of Service attack is being launched against the host.
196
(Figure 66 on page
168). For UDP, half-open
Chapter 10 Firewall Screens
Advertisement
Table of Contents
Troubleshooting
