ARRIS 2247-N8-10NA (v9.1.x) User Manual User Manual
Page 98
Motorola 2247-N8 DSL Wi-Fi Gateway User Guide
Please visit
www.motorola.com/us/support
for FAQs and additional product documentation.
98
How to -
modify Denial of Service (DoS) protection settings:
Open the
Firewall > DoS Protection
page.
Use the pull-down menus and input fields of the
Firewall > DoS Protection
page to control the operation of the system firewall’s detection and han-
dling of DoS attempts:
Drop packets with invalid source or destination IP address
: Whether packets with invalid source or destination IP address(es) are to be
dropped
Protect against port scan
: Whether to detect and drop port scans.
Drop packets with unknown ether types
: Whether packets with unknown ethernet types are to be dropped
Drop packets with invalid TCP flags
: Whether packets with invalid TCP flag settings (NULL, FIN, Xmas, etc.) should be dropped
Drop incoming ICMP Echo requests
: Whether all ICMP echo requests are to be dropped.
The
Flood Limit
pull-down menu determines if the 2247-N8 should detect and control packet flooding events. The fields below the
Flood Limit
pull-down menu are only available if flood limiting is enabled.
Flood Limit
: Whether packet flooding should be detected and offending packets be dropped;.
Flood rate limit
: Specifies the number limit of packets per second before dropping the remainder.
Flood burst limit
: Specifies the number limit of packets in a single burst before dropping the remainder.
Flood limit ICMP enable
: Whether ICMP traffic packet flooding should be detected and offending packets be dropped
Flood limit UDP enable
: Whether UDP traffic packet flooding should be detected and offending packets be dropped.
Flood limit UDP Pass multicast
: Allows exclusion of UDP multicast traffic. On by default.
Flood limit TCP enable
: Allows exclusion of TCP traffic. Off by default.
Flood limit TCP SYN-cookie
: Allows TCP SYN cookies flooding to be excluded.
IPv6 Protection:
The following controls are only available on the
Firewall > DoS Protection
page if the 2247-N8 is using IPv6. Configuration of IPv6 is found in
Neighbor Discovery Attack protection
: Prevents downstream traffic from an upstream device that sends excessive traffic but receives no
replies.
ESP Header Forwarding
: Allows the use of Encapsulating Security Payload (ESP) data payload encryption for IP Secure (IPsec) from qualify-
ing endpoints.
Authentication Header Forwarding
: Accept and forward IPSec packets with Authentication Headers, which may be used by some IPSec
implementations to validate packet sources.
Reflexive ACL
: When IPv6 is enabled, Reflexive Access Control Lists can deny inbound IPv6 traffic unless this traffic results from returning
outgoing packets (except as configured through firewall rules).
After making any changes to the DoS protection settings, click the
Save
button to assign the new configuration to the 2247-N8.