2 half-open sessions – ZyXEL Communications ZYWALL10 User Manual

ZyWALL 10 Internet Security Gateway

15-8

Introducing the ZyWALL Web Configurator

5. Type of traffic for certain servers.
If your network is slower than average for any of these factors (especially if you have servers that are slow or
handle many tasks and are often busy), then the default values should be reduced.
You should make any changes to the threshold values before you continue configuring firewall rules.

15.4.2 Half-Open Sessions

An unusually high number of half-open sessions (either an absolute number or measured as the arrival rate)
could indicate that a Denial of Service attack is occurring. For TCP, "half-open" means that the session has
not reached the established state-the TCP three-way handshake has not yet been completed (see Figure 13-2).
For UDP, "half-open" means that the firewall has detected no return traffic.
The ZyWALL measures both the total number of existing half-open sessions and the rate of session
establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate
measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (max-incomplete high), the
ZyWALL starts deleting half-open sessions as required to accommodate new connection requests. The
ZyWALL continues to delete half-open requests as necessary, until the number of existing half-open sessions
drops below another threshold (max-incomplete low).
When the rate of new connection attempts rises above a threshold (one-minute high), the ZyWALL starts
deleting half-open sessions as required to accommodate new connection requests. The ZyWALL continues to
delete half-open sessions as necessary, until the rate of new connection attempts drops below another
threshold (one-minute low). The rate is the number of new attempts detected in the last one-minute sample
period.

TCP Maximum Incomplete and Blocking Time

An unusually high number of half-open sessions with the same destination host address could indicate that a
Denial of Service attack is being launched against the host.
Whenever the number of half-open sessions with the same destination host address rises above a threshold
(TCP Maximum Incomplete), the ZyWALL starts deleting half-open sessions according to one of the
following methods:
1. If the Blocking Time timeout is 0 (the default), then the ZyWALL deletes the oldest existing half-open

session for the host for every new connection request to the host. This ensures that the number of half-
open sessions to a given host will never exceed the threshold.

2. If the Blocking Time timeout is greater than 0, then the ZyWALL blocks all new connection requests to

the host giving the server time to handle the present connections. The ZyWALL continues to block all
new connection requests until the Blocking Time expires.

The ZyWALL also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values
specified for the threshold and timeout apply to all TCP connections. Click on the Attack Alert tab to bring
up the next screen.