Chapter 11 Firewall Configuration
P-660W-Tx v2 User’s Guide
129
You should make any changes to the threshold values before you continue configuring firewall
rules.
11.7.4.2 Half-Open Sessions
An unusually high number of half-open sessions (either an absolute number or measured as
the arrival rate) could indicate that a Denial of Service attack is occurring. For TCP, "half-
open" means that the session has not reached the established state-the TCP three-way
handshake has not yet been completed. For UDP, "half-open" means that the firewall has
detected no return traffic.
The ZyXEL Device measures both the total number of existing half-open sessions and the rate
of session establishment attempts. Both TCP and UDP half-open sessions are counted in the
total number and rate measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (
max-incomplete
high
), the ZyXEL Device starts deleting half-open sessions as required to accommodate new
connection requests. The ZyXEL Device continues to delete half-open requests as necessary,
until the number of existing half-open sessions drops below another threshold (
max-
incomplete low
).
When the rate of new connection attempts rises above a threshold (
one-minute high
), the
ZyXEL Device starts deleting half-open sessions as required to accommodate new connection
requests. The ZyXEL Device continues to delete half-open sessions as necessary, until the rate
of new connection attempts drops below another threshold (
one-minute low
). The rate is the
number of new attempts detected in the last one-minute sample period.
TCP Maximum Incomplete and Blocking Time
An unusually high number of half-open sessions with the same destination host address could
indicate that a Denial of Service attack is being launched against the host.
Whenever the number of half-open sessions with the same destination host address rises above
a threshold (
TCP Maximum Incomplete
), the ZyXEL Device starts deleting half-open
sessions according to one of the following methods:
• If the
Blocking Time
timeout is 0 (the default), then the ZyXEL Device deletes the oldest
existing half-open session for the host for every new connection request to the host. This
ensures that the number of half-open sessions to a given host will never exceed the
threshold.
• If the
Blocking Time
timeout is greater than 0, then the ZyXEL Device blocks all new
connection requests to the host giving the server time to handle the present connections.
The ZyXEL Device continues to block all new connection requests until the
Blocking
Time
expires.
Summary of Contents for P-660W-T1 v2
Page 2: ......
Page 8: ...Safety Warnings P 660W Tx v2 User s Guide 8 ...
Page 10: ...Contents Overview P 660W Tx v2 User s Guide 10 ...
Page 18: ...Table of Contents P 660W Tx v2 User s Guide 18 ...
Page 22: ...List of Figures P 660W Tx v2 User s Guide 22 ...
Page 25: ...25 PART I Introduction Introducing the ZyXEL Device 27 Introducing the Web Configurator 31 ...
Page 26: ...26 ...
Page 30: ...Chapter 1 Introducing the ZyXEL Device P 660W Tx v2 User s Guide 30 ...
Page 36: ...Chapter 2 Introducing the Web Configurator P 660W Tx v2 User s Guide 36 ...
Page 37: ...37 PART II Setup Wizard Connection Setup Wizard 39 Media Bandwidth Management Wizard 47 ...
Page 38: ...38 ...
Page 46: ...Chapter 3 Connection Setup Wizard P 660W Tx v2 User s Guide 46 ...
Page 50: ...Chapter 4 Media Bandwidth Management Wizard P 660W Tx v2 User s Guide 50 ...
Page 52: ...52 ...
Page 83: ...Chapter 7 WAN Setup P 660W Tx v2 User s Guide 83 Figure 32 WAN Setup PPPoE ...
Page 104: ...Chapter 8 Network Address Translation NAT Screens P 660W Tx v2 User s Guide 104 ...
Page 130: ...Chapter 11 Firewall Configuration P 660W Tx v2 User s Guide 130 ...
Page 156: ...Chapter 15 Logs Screens P 660W Tx v2 User s Guide 156 ...
Page 169: ...169 PART IV Maintenance Maintenance 171 ...
Page 170: ...170 ...
Page 184: ...Chapter 17 Maintenance P 660W Tx v2 User s Guide 184 ...
Page 185: ...185 PART V Troubleshooting and Specifications Troubleshooting 187 Product Specifications 193 ...
Page 186: ...186 ...
Page 192: ...Chapter 18 Troubleshooting P 660W Tx v2 User s Guide 192 ...
Page 200: ...200 ...
Page 208: ...Appendix A Pop up Windows JavaScripts and Java Permissions P 660W Tx v2 User s Guide 208 ...
Page 226: ...Appendix C Common Services P 660W Tx v2 User s Guide 226 ...
Page 232: ...Appendix D Legal Information P 660W Tx v2 User s Guide 232 ...