Firewall - Threshold

Configuring Attack Alert

Attack alerts are the first defense against DOS attacks. For DoS attacks, the Prestige uses thresholds to determine when to drop sessions that do not become fully established. These thresholds apply globally to all sessions. You can use the default threshold values, or you can change them to values more suitable to your security requirements.

Threshold Values

Tune these parameters when something is not working and after you have checked the firewall counters. These default values should work fine for normal small offices with ADSL bandwidth. Factors influencing choices for threshold values are:

1. The maximum number of opened sessions.

2. The minimum capacity of server backlog in your LAN network.

3. The CPU power of servers in your LAN network.

4. Network bandwidth.

5. Type of traffic for certain servers.

If your network is slower than average for any of these factors (especially if you have servers that are slow or handle many tasks and are often busy), then the default values should be reduced. You should make any changes to the threshold values before you continue configuring firewall rules.

Half-Open Sessions

An unusually high number of half-open sessions (either an absolute number or measured as the arrival rate) could indicate that a Denial of Service attack is occurring. For TCP, "half-open" means that the session has not reached the established state-the TCP three-way handshake has not yet been completed. For UDP, "half-open" means that the firewall has detected no return traffic.

The Prestige measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.

When the number of existing half-open sessions rises above a threshold (max-incomplete high), the Prestige starts deleting half-open sessions as required to accommodate new connection requests. The Prestige continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (max-incomplete low).

When the rate of new connection attempts rises above a threshold (one-minute high), the Prestige starts deleting half-open sessions as required to accommodate new connection requests. The Prestige continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (one-minute low). The rate is the number of new attempts detected in the last one-minute sample period.

TCP Maximum Incomplete and Blocking Time

An unusually high number of half-open sessions with the same destination host address could indicate that a Denial of Service attack is being launched against the host.

Whenever the number of half-open sessions with the same destination host address rises above a threshold (TCP Maximum Incomplete), the Prestige starts deleting half-open sessions according to one of the following methods:

1. If the blocking time timeout is 0 (the default), then the Prestige deletes the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold.

2. If the blocking time timeout is greater than 0, then the Prestige blocks all new connection requests to the host giving the server time to handle the present connections.The Prestige continues to block all new connection requests until the Blocking Time expires.

The Prestige also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold and timeout apply to all TCP connection.

Label

Description

Denial of Services Thresholds

One Minute Low

This is the rate of new half-open sessions that causes the firewall to stop deleting half-open sessions.
The Prestige continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below this number. "80" is the default.

One Minute High

This is the rate of new half-open sessions that causes the firewall to start deleting half-open sessions. The default is "100". When the rate of new connection attempts rises above this number, the Prestige deletes half-open sessions as required to accommodate new connection attempts. The Prestige stops deleting half-open sessions when the number is less than the One Minute Low.

Maximum Incomplete Low

This is the number of existing half-open sessions (default "80") that causes the firewall to stop deleting half-open sessions.
The Prestige continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below this number.

Maximum Incomplete High

This is the number of existing half-open sessions (default "100") that causes the firewall to start deleting half-open sessions. When the number of existing half-open sessions rises above this number, the Prestige deletes half-open sessions as required to accommodate new connection requests. The Prestige stops deleting half-open sessions when the number is less than the Max Incomplete Low.
Do not set Maximum Incomplete High to lower than the current Max Incomplete Low number.

TCP Maximum Incomplete

This is the number of existing half-open TCP sessions (default "10") with the same destination host IP address that causes the firewall to start dropping half-open sessions to that same destination host IP address. Enter a number between 1 and 256.
As a general rule, you should choose a smaller number for a smaller network, a slower system or limited bandwidth.

Action taken when the TCP Maximum Incomplete threshold is reached.
Delete the Oldest Half Open Session When New Connection Request ComesSelect this radio button to clear the oldest half open session when a new connection request comes.
Deny New Connection Request forSelect this radio button and specify for how long the Prestige should block new connection requests when TCP Maximum Incomplete is reached. Enter the length of blocking time in minutes (between 1 and 256).
Back
Click Back to return to the Firewall Functions screen.
ApplyClick Apply to save your changes back to the Prestige.
Cancel
Click Cancel to begin configuring this screen afresh.