Configuring Attack Alert Attack alerts are the first defense against DOS attacks. For DoS attacks, the Prestige uses thresholds to determine when to drop sessions that do not become fully established. These thresholds apply globally to all sessions. You can use the default threshold values, or you can change them to values more suitable to your security requirements. Threshold
Values Tune these parameters when something is not working and after you have checked the firewall counters. These default values should work fine for normal small offices with ADSL bandwidth. Factors influencing choices for threshold values are:
If your network is slower than average for any of these factors (especially if you have servers that are slow or handle many tasks and are often busy), then the default values should be reduced. You should make any changes to the threshold values before you continue configuring firewall rules. Half-Open Sessions An unusually high number of half-open sessions (either an absolute number or measured as the arrival rate) could indicate that a Denial of Service attack is occurring. For TCP, "half-open" means that the session has not reached the established state-the TCP three-way handshake has not yet been completed. For UDP, "half-open" means that the firewall has detected no return traffic. The Prestige measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute. When the number of existing half-open sessions rises above a threshold (max-incomplete high), the Prestige starts deleting half-open sessions as required to accommodate new connection requests. The Prestige continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (max-incomplete low). When the rate of new connection attempts rises above a threshold (one-minute high), the Prestige starts deleting half-open sessions as required to accommodate new connection requests. The Prestige continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (one-minute low). The rate is the number of new attempts detected in the last one-minute sample period. TCP Maximum Incomplete and Blocking Time An unusually high number of half-open sessions with the same destination host address could indicate that a Denial of Service attack is being launched against the host. Whenever the number of half-open sessions with the same destination host address rises above a threshold (TCP Maximum Incomplete), the Prestige starts deleting half-open sessions according to one of the following methods:
The Prestige also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold and timeout apply to all TCP connection. |
Description | ||
Denial of Services Thresholds | ||
One Minute Low |
This
is the rate of new half-open sessions that causes the firewall to stop
deleting half-open sessions. | |
One Minute High |
This is the rate of new half-open sessions that causes the firewall to start deleting half-open sessions. The default is "100". When the rate of new connection attempts rises above this number, the Prestige deletes half-open sessions as required to accommodate new connection attempts. The Prestige stops deleting half-open sessions when the number is less than the One Minute Low. | |
Maximum Incomplete Low |
This
is the number of existing half-open sessions (default "80")
that causes the firewall to stop deleting half-open sessions. | |
Maximum Incomplete High |
This
is the number of existing half-open sessions (default "100")
that causes the firewall to start deleting half-open sessions. When
the number of existing half-open sessions rises above this number, the
Prestige deletes half-open sessions as required to accommodate new connection
requests. The Prestige stops deleting half-open sessions when the number
is less than the Max Incomplete Low. | |
TCP Maximum Incomplete |
This
is the number of existing half-open TCP sessions (default "10")
with the same destination host IP address that causes the firewall to
start dropping half-open sessions to that same destination host IP address.
Enter a number between 1 and 256. | |
Action taken when the TCP Maximum Incomplete threshold is reached. | ||
Delete the Oldest Half Open Session When New Connection Request Comes | Select this radio button to clear the oldest half open session when a new connection request comes. | |
Deny New Connection Request for | Select this radio button and specify for how long the Prestige should block new connection requests when TCP Maximum Incomplete is reached. Enter the length of blocking time in minutes (between 1 and 256). | |
Back |
Click
Back to return to the Firewall Functions screen.
| |
Apply | Click Apply to save your changes back to the Prestige. | |
Cancel |
Click
Cancel to begin configuring this screen afresh. |