Product specifications

Efficient Networks
®
Router family
Technical Reference Guide
Chapter 5: System Security
Efficient Networks
®
Page 5-43
The firewall shall, by default, drop any packet that is not explicitly accepted by the
firewall rules, and allow only the services that are explicitly enabled by the security
policy. In addition, the firewall will log all the DoS attacks it detects. The following
sections provide an overview of this protection.
SYN Attack
SYN attack occurs when the connecting host continuously sends TCP SYN requests
without the corresponding ACK response. This flood attack disables a host by
sending a stream of SYN packets with a spoofed source IP address. This causes the
host to send a SYN/ACK in response to a host that may not exist, or at the very least,
will not respond. The host under attack will continue to consume resources while it is
responding to these bogus connection attempts until no resources are available. At
this point, valid connection attempts will be refused since the host no longer has the
ability to respond.
To defend against this type of an attack, the router will maintain a counter to track the
number of connection attempts. This counter will be maintained per destination
address. If this number exceeds a threshold (e.g. 200 per second) then the router will
drop any attempt to connect. To re-enable connections, the number of attempts per
second needs to fall to an acceptable level.
The threshold value is defined in packets per seconds. To set the threshold value
through the WMI, refer to the Stateful Firewall Configuration Page on page 8-60, or
enter the following command.
firewall setsynfloodthreshold <number>
ICMP Flood Attack
An ICMP flood attack occurs when ICMP pings are broadcast with the purpose of
flooding the system with too much data that it slows down to a point that it times out
and is disconnected.
By default, the stateful firewall will filter all incoming ICMP messages, thus, a flood of
ICMP echo requests (pings) will be dropped. Should the system administrator enable
echo request messages, the router would become vulnerable to this type of attack.
Therefore, the firewall maintains a counter for the incoming ICMP echo request
packets received per second. When this value exceeds the threshold setting, the
firewall shall drop all subsequent ICMP echo requests. As in the SYN flood attack,
once the number of echo request has returned to normal, the router will enable
receipt of these packets.
The threshold value is defined in packets per seconds. To set the threshold value
through the WMI, refer to the Stateful Firewall Configuration Page on page 8-60, or
enter the following command.
firewall seticmpfloodthreshold <number>