ZyXEL 202H 91-003-194003B User Manual
Product codes
91-003-194003B
P-202H Plus v2 User’s Guide
91
Chapter 9 Firewall Configuration
9.3.3 Half-Open Sessions
An unusually high number of half-open sessions (either an absolute number or measured as
the arrival rate) could indicate that a Denial of Service attack is occurring. For TCP, "half-
open" means that the session has not reached the established state-the TCP three-way
handshake has not yet been completed (see
the arrival rate) could indicate that a Denial of Service attack is occurring. For TCP, "half-
open" means that the session has not reached the established state-the TCP three-way
handshake has not yet been completed (see
). For UDP, "half-open"
means that the firewall has detected no return traffic.
The ZyXEL Device measures both the total number of existing half-open sessions and the rate
of session establishment attempts. Both TCP and UDP half-open sessions are counted in the
total number and rate measurements. Measurements are made once a minute.
of session establishment attempts. Both TCP and UDP half-open sessions are counted in the
total number and rate measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (max-incomplete
high), the ZyXEL Device starts deleting half-open sessions as required to accommodate new
connection requests. The ZyXEL Device continues to delete half-open requests as necessary,
until the number of existing half-open sessions drops below another threshold (max-
incomplete low).
high), the ZyXEL Device starts deleting half-open sessions as required to accommodate new
connection requests. The ZyXEL Device continues to delete half-open requests as necessary,
until the number of existing half-open sessions drops below another threshold (max-
incomplete low).
When the rate of new connection attempts rises above a threshold (one-minute high), the
ZyXEL Device starts deleting half-open sessions as required to accommodate new connection
requests. The ZyXEL Device continues to delete half-open sessions as necessary, until the rate
of new connection attempts drops below another threshold (one-minute low). The rate is the
number of new attempts detected in the last one-minute sample period.
ZyXEL Device starts deleting half-open sessions as required to accommodate new connection
requests. The ZyXEL Device continues to delete half-open sessions as necessary, until the rate
of new connection attempts drops below another threshold (one-minute low). The rate is the
number of new attempts detected in the last one-minute sample period.
9.3.3.1 TCP Maximum Incomplete and Blocking Time
An unusually high number of half-open sessions with the same destination host address could
indicate that a Denial of Service attack is being launched against the host.
indicate that a Denial of Service attack is being launched against the host.
Whenever the number of half-open sessions with the same destination host address rises above
a threshold (TCP Maximum Incomplete), the ZyXEL Device starts deleting half-open
sessions according to one of the following methods:
a threshold (TCP Maximum Incomplete), the ZyXEL Device starts deleting half-open
sessions according to one of the following methods:
• If the Blocking Time timeout is 0 (the default), then the ZyXEL Device deletes the oldest
existing half-open session for the host for every new connection request to the host. This
ensures that the number of half-open sessions to a given host will never exceed the
threshold.
ensures that the number of half-open sessions to a given host will never exceed the
threshold.
• If the Blocking Time timeout is greater than 0, then the ZyXEL Device blocks all new
connection requests to the host giving the server time to handle the present connections.
The ZyXEL Device continues to block all new connection requests until the Blocking
Time expires.
The ZyXEL Device continues to block all new connection requests until the Blocking
Time expires.
9.3.4 Configuring Firewall Alert
The ZyXEL Device also sends alerts whenever TCP Maximum Incomplete is exceeded. The
global values specified for the threshold and timeout apply to all TCP connections.
global values specified for the threshold and timeout apply to all TCP connections.
Click Firewall, and Alert to bring up the next screen.