Table 46 security > firewall > threshold – ZyXEL Communications NBG410W3G User Manual

Chapter 9 Firewall

NBG410W3G Series User’s Guide

183

The following table describes the labels in this screen.

Table 46 SECURITY > FIREWALL > Threshold

LABEL

DESCRIPTION

Disable DoS Attack

Protection on

Select the check boxes of any interfaces for which you want the ZyXEL Device to

not use the Denial of Service protection thresholds. This disables DoS protection

on the selected interface.
You may want to disable DoS protection for an interface if the ZyXEL Device is

treating valid traffic as DoS attacks. Another option would be to raise the

thresholds.

Denial of Service

Thresholds

The ZyXEL Device measures both the total number of existing half-open

sessions and the rate of session establishment attempts. Both TCP and UDP

half-open sessions are counted in the total number and rate measurements.

Measurements are made once a minute.

One Minute Low

This is the rate of new half-open sessions per minute that causes the firewall to

stop deleting half-open sessions. The ZyXEL Device continues to delete half-

open sessions as necessary, until the rate of new connection attempts drops

below this number.

One Minute High

This is the rate of new half-open sessions per minute that causes the firewall to

start deleting half-open sessions. When the rate of new connection attempts rises

above this number, the ZyXEL Device deletes half-open sessions as required to

accommodate new connection attempts.
For example, if you set the one minute high to 100, the ZyXEL Device starts

deleting half-open sessions when more than 100 session establishment attempts

have been detected in the last minute. It stops deleting half-open sessions when

the number of session establishment attempts detected in a minute goes below

the number set as the one minute low.

Maximum

Incomplete Low

This is the number of existing half-open sessions that causes the firewall to stop

deleting half-open sessions. The ZyXEL Device continues to delete half-open

requests as necessary, until the number of existing half-open sessions drops

below this number.

Maximum

Incomplete High

This is the number of existing half-open sessions that causes the firewall to start

deleting half-open sessions. When the number of existing half-open sessions

rises above this number, the ZyXEL Device deletes half-open sessions as

required to accommodate new connection requests. Do not set Maximum

Incomplete High to lower than the current Maximum Incomplete Low number.
For example, if you set the maximum incomplete high to 100, the ZyXEL Device

starts deleting half-open sessions when the number of existing half-open

sessions rises above 100. It stops deleting half-open sessions when the number

of existing half-open sessions drops below the number set as the maximum

incomplete low.

TCP Maximum

Incomplete

An unusually high number of half-open sessions with the same destination host

address could indicate that a DoS attack is being launched against the host.
Specify the number of existing half-open TCP sessions with the same destination

host IP address that causes the firewall to start dropping half-open sessions to

that same destination host IP address. Enter a number between 1 and 256. As a

general rule, you should choose a smaller number for a smaller network, a slower

system or limited bandwidth. The ZyXEL Device sends alerts whenever the TCP

Maximum Incomplete is exceeded.

Action taken when

TCP Maximum

Incomplete

reached threshold

Select the action that ZyXEL Device should take when the TCP maximum

incomplete threshold is reached. You can have the ZyXEL Device either:
Delete the oldest half open session when a new connection request comes.
or
Deny new connection requests for the number of minutes that you specify

(between 1 and 256).

Apply

Click Apply to save your changes.

Reset Click

Reset to begin configuring this screen afresh.