ZyXEL p-660hwp Guia Do Utilizador
Chapter 11 Firewall Configuration
P-660HWP-Dx User’s Guide
65
11.10.2 Half-Open Sessions
An unusually high number of half-open sessions (either an absolute number or measured as
the arrival rate) could indicate that a Denial of Service attack is occurring. For TCP, "half-
open" means that the session has not reached the established state-the TCP three-way
handshake has not yet been completed (see
the arrival rate) could indicate that a Denial of Service attack is occurring. For TCP, "half-
open" means that the session has not reached the established state-the TCP three-way
handshake has not yet been completed (see
). For UDP, "half-open"
means that the firewall has detected no return traffic.
The P-660HWP-Dx measures both the total number of existing half-open sessions and the rate
of session establishment attempts. Both TCP and UDP half-open sessions are counted in the
total number and rate measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (max-incomplete
high), the P-660HWP-Dx starts deleting half-open sessions as required to accommodate new
connection requests. The P-660HWP-Dx continues to delete half-open requests as necessary,
until the number of existing half-open sessions drops below another threshold (max-
incomplete low).
When the rate of new connection attempts rises above a threshold (one-minute high), the P-
660HWP-Dx starts deleting half-open sessions as required to accommodate new connection
requests. The P-660HWP-Dx continues to delete half-open sessions as necessary, until the rate
of new connection attempts drops below another threshold (one-minute low). The rate is the
number of new attempts detected in the last one-minute sample period.
The P-660HWP-Dx measures both the total number of existing half-open sessions and the rate
of session establishment attempts. Both TCP and UDP half-open sessions are counted in the
total number and rate measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (max-incomplete
high), the P-660HWP-Dx starts deleting half-open sessions as required to accommodate new
connection requests. The P-660HWP-Dx continues to delete half-open requests as necessary,
until the number of existing half-open sessions drops below another threshold (max-
incomplete low).
When the rate of new connection attempts rises above a threshold (one-minute high), the P-
660HWP-Dx starts deleting half-open sessions as required to accommodate new connection
requests. The P-660HWP-Dx continues to delete half-open sessions as necessary, until the rate
of new connection attempts drops below another threshold (one-minute low). The rate is the
number of new attempts detected in the last one-minute sample period.
11.10.2.1 TCP Maximum Incomplete and Blocking Time
An unusually high number of half-open sessions with the same destination host address could
indicate that a Denial of Service attack is being launched against the host.
Whenever the number of half-open sessions with the same destination host address rises above
a threshold (TCP Maximum Incomplete), the P-660HWP-Dx starts deleting half-open
sessions according to one of the following methods:
indicate that a Denial of Service attack is being launched against the host.
Whenever the number of half-open sessions with the same destination host address rises above
a threshold (TCP Maximum Incomplete), the P-660HWP-Dx starts deleting half-open
sessions according to one of the following methods:
• If the Blocking Time timeout is 0 (the default), then the P-660HWP-Dx deletes the oldest
existing half-open session for the host for every new connection request to the host. This
ensures that the number of half-open sessions to a given host will never exceed the
threshold.
ensures that the number of half-open sessions to a given host will never exceed the
threshold.
• If the Blocking Time timeout is greater than 0, then the P-660HWP-Dx blocks all new
connection requests to the host giving the server time to handle the present connections.
The P-660HWP-Dx continues to block all new connection requests until the Blocking
Time expires.
The P-660HWP-Dx continues to block all new connection requests until the Blocking
Time expires.
11.10.3 Configuring Firewall Thresholds
The P-660HWP-Dx also sends alerts whenever TCP Maximum Incomplete is exceeded. The
global values specified for the threshold and timeout apply to all TCP connections.
Click Firewall, and Threshold to bring up the next screen.
global values specified for the threshold and timeout apply to all TCP connections.
Click Firewall, and Threshold to bring up the next screen.