Attack alert, 3 attack alert – ZyXEL Communications ZyXEL ZyWALL 2WE User Manual
Page 165
ZyWALL 2 and ZyWALL 2WE
Firewall Configuration
15-3
15.3 Attack Alert
Attack alerts are the first defense against DOS attacks. In the Attack Alert screen, shown later, you may
choose to generate an alert whenever an attack is detected. For DoS attacks, the ZyWALL uses thresholds to
determine when to drop sessions that do not become fully established. These thresholds apply globally to all
sessions.
You can use the default threshold values, or you can change them to values more suitable to your security
requirements.
15.3.1 Threshold Values
Tune these parameters when something is not working and after you have checked the firewall counters.
These default values should work fine for normal small offices with ADSL bandwidth. Factors influencing
choices for threshold values are:
1. The maximum number of opened sessions.
2. The minimum capacity of server backlog in your LAN network.
3. The CPU power of servers in your LAN network.
4. Network
bandwidth.
5. Type of traffic for certain servers.
If your network is slower than average for any of these factors (especially if you have servers that are slow or
handle many tasks and are often busy), then the default values should be reduced.
You should make any changes to the threshold values before you continue configuring firewall rules.
15.3.2 Half-Open Sessions
An unusually high number of half-open sessions (either an absolute number or measured as the arrival rate)
could indicate that a Denial of Service attack is occurring. For TCP, "half-open" means that the session has
not reached the established state-the TCP three-way handshake has not yet been completed (see Figure 13-2).
For UDP, "half-open" means that the firewall has detected no return traffic.
The ZyWALL measures both the total number of existing half-open sessions and the rate of session
establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate
measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (max-incomplete high), the
ZyWALL starts deleting half-open sessions as required to accommodate new connection requests. The
ZyWALL continues to delete half-open requests as necessary, until the number of existing half-open sessions
drops below another threshold (max-incomplete low).