Filter
Top Products
182 Chapter 11 Firewall screens
N0115790
Configuring attack alert
Attack alerts are the first defense against DOS attacks. In the Attack Alert screen
(Figure 60) you can choose to generate an alert whenever an attack is detected.
For DoS attacks, the BCM50a Integrated Router uses thresholds to determine
when to drop sessions that do not become fully established. These thresholds
apply globally to all sessions.
You can use the default threshold values, or you can change them to values more
suitable to your security requirements.
Threshold values
Tune these parameters when something is not working and after you have checked
the firewall counters. These default values work fine for normal, small offices
with ADSL bandwidth. Factors influencing choices for threshold values are:
• The maximum number of opened sessions
• The minimum capacity of server backlog in your LAN network
• The CPU power of servers in your LAN network
• Network bandwidth
• Type of traffic for certain servers
If your network is slower than average for any of these factors (especially if you
have servers that are slow or handle many tasks and are often busy), then the
default values must be reduced.
You must make any changes to the threshold values before you continue
configuring firewall rules.
Half-open sessions
An unusually high number of half-open sessions (either an absolute number or
measured as the arrival rate) indicates that a Denial of Service attack is occurring.
For TCP, half-open means that the session has not reached the established state,
and the TCP three-way handshake has not yet been completed (see Figure 45). For
UDP, half-open means that the firewall has detected no return traffic.