Threshold-based filtering – Zilog EZ80F91GA User Manual

UM024502-1012

Threshold-Based Filtering

ZGATE Embedded Security Development Kit

User Manual

25

Threshold-Based Filtering

Threshold-based filtering functions by keeping statistics about the packets that are
received and by monitoring for threshold crossings. When a threshold crossing is detected,
ZGATE begins blocking packets. ZGATE extracts a source IP address from each packet
and performs threshold-based filtering using this key.

Threshold-based filtering protects against packet floods such as Denial of Service (DoS)
attacks, broadcast packet storms, or any other condition that causes a flood of network
traffic that can overwhelm a networked device. The filtering key, the high water and low
water thresholds, and the interval length are all configurable. If the number of packets
received for a given filter key during an interval exceeds the high water threshold, ZGATE
will begin dropping packets.

The threshold-based filtering algorithm is a proprietary burst management algorithm that
uses statistical information to determine when to enable and disable filtering. A few char-
acteristics of the burst management algorithm are listed below. For these examples,
assume that the interval length is 60 seconds and that the high water threshold is 1000. The
source IP is the filtering key.

•

The algorithm is not completely deterministic and may enable filtering before the
exact number of packets is reached. Filtering could be enabled after a single IP
address has sent anywhere from 750 to 1000 packets.

•

Filtering will always be enabled at between 75% and 100% of the high water thresh-
old value.

•

The algorithm enables filtering based on the threshold crossing (packet count) at any
time during the interval. Filtering could be enabled during the first second of the inter-
val or the 60th second.

•

Filtering is disabled when the packet count remains below the low water threshold for
an entire interval.

•

Disabling packet filtering due to threshold crossings only occurs when packets are
received at a rate lower than the low water threshold for the entire interval. Therefore, if
ZGATE threshold filtering is engaged for a particular IP address and the IP address stops
sending packets altogether, the threshold filter will not be disengaged. Only when a
packet is received will ZGATE determine if filtering should be disengaged (assuming
enough time has passed) and print a message to the log file (if logging is enabled).



If IP address W.X.Y.Z floods the ZTP device with packets such that threshold filtering is
enabled, a line will be printed to the log file (if enabled), indicating that filtering is enabled
for this IP address. If this IP stops sending packets completely, no message will appear in
the log file to indicate that filtering has been disabled. Only when another packet is
received (and enough time has passed) will a message appear in the log file (if enabled),
indicating that filtering has been disabled.