Billion 810VGTX Router

Page | 65

°

For instructions on how to configure the HTTP in Virtual Server, please refer to

the Add Virtual Server sub-section under the Virtual Server section.

The new port filter rule for HTTP is shown below:

1.

Configure your Virtual Server (“port forwarding”) settings so that incoming HTTP requests on port 80 will be

forwarded to the PC running your web server:

Billion 810VGTX Router

Page | 66

Intrusion Detection

The router Intrusion Detection System (IDS) is used to detect hacker’s attacks, and intrusion attempts from the Internet.

If the IDS function of the firewall is enabled, inbound packets are filtered and blocked depending on whether they are

detected as possible hacker attacks, intrusion attempts or other connections that the router determines to be suspicious.

Blacklist:

If the router detects a possible attack, the source IP or destination IP address will be added to the Blacklist.

Any further attempts to use this IP address will be blocked for the time period specified in the Block Duration. The default

setting for this function is false (disabled). Some types of attacks are denied immediately without using the Blacklist

function, such as Land attack and Echo/CharGen scan.

Intrusion Detection

: If enabled, IDS will block Smurf attack attempts. Default is ‘Disable’

Block Duration

:

Victim Protection Block Duration

: This is the duration for blocking

Smurf

attacks. Default value is 600

seconds.

Scan Attack Block Duration

: This is the duration for blocking hosts that attempt a possible Scan attack. Scan

attack types include

X’mas scan, IMAP SYN/FIN scan

and similar attempts. Default value is 86400 seconds.

DoS Attack Block Duration

: This is the duration for blocking hosts that attempt a possible Denial of Service

(DoS) attack. Possible DoS attacks that are blocked include

Ascend Kill

and

WinNuke

. Default value is 1800

seconds.

Max TCP Open Handshaking Count

: This is a threshold value to decide whether a

SYN Flood

attempt is occurring or

not. Default value is 100 TCP SYN per seconds.

Max PING Count

: This is a threshold value to decide whether an

ICMP Echo Storm

is occurring or not. Default value is

15 ICMP Echo Requests (PINGS) per second.

Max ICMP Count

: This is a threshold to decide whether an

ICMP flood

is occurring or not. Default value is 100 ICMP

packets per second except ICMP Echo Requests (PING).

For SYN Flood, ICMP Echo Storm and ICMP flood, IDS will just warn the user in the Event Log. It cannot protect against

such attacks.

Billion 810VGTX Router

Page | 67

Table 2: Hacker attack types recognized by the IDS

Intrusion Name

Detect Parameter

Blacklist

Type of Block

Duration

Drop Packet

Show Log

Ascend Kill

Ascend Kill data

Src IP

DoS

Yes

Yes

WinNuke

TCP

Port 135, 137~139, Flag:

URG

Src IP

DoS

Yes

Yes

Smurf

ICMP type 8

Des IP is broadcast

Dst IP

Victim Protection

Yes

Yes

Land attack

SrcIP = DstIP

Yes

Yes

Echo/CharGen Scan

UDP Echo Port and

CharGen Port

Yes

Yes

Echo Scan

UDP Dst Port = Echo(7)

Src IP

Scan

Yes

Yes

CharGen Scan

UDP Dst Port =

CharGen(19)

Src IP

Scan

Yes

Yes

X’mas Tree Scan

TCP Flag: X’mas

Src IP

Scan

Yes

Yes

IMAP

SYN/FIN Scan

TCP Flag: SYN/FIN

DstPort: IMAP(143)

SrcPort: 0 or 65535

Src IP

Scan

Yes

Yes

SYN/FIN/RST/ACK

Scan

TCP,

No Existing session And

Scan Hosts more than

five.

Src IP

Scan

Yes

Yes

Net Bus Scan

TCP

No Existing session

DstPort = Net Bus

12345,12346, 3456

SrcIP

Scan

Yes

Yes

Back Orifice Scan

UDP, DstPort = Orifice

Port (31337)

SrcIP

Scan

Yes

Yes

SYN Flood

Max TCP Open

Handshaking Count

(Default 100 c/sec)

Yes

ICMP Flood

Max ICMP Count

(Default 100 c/sec)

Yes

ICMP Echo

Max PING Count

(Default 15 c/sec)

Yes

Billion 810VGTX Router

Page | 68

URL Filter

URL (Uniform Resource Locator) (e.g. an address in the form of http://www.abcde.com or http:// www.example.com)

filter rule allows you to prevent users on your network from accessing specific websites defined by their URL. There are

no predefined URL filter rules, therefore you can add filter rules to meet your requirements.

Enable/Disable:

Select to enable or disable URL Filter feature.

Block Mode:

A list of the modes that you can choose from to check the URL filter rules. The default is set to

Always On.

Disabled:

No action will be performed by the Block Mode.

Always On:

Action is enabled. URL filter rules will be monitoring and checking at all hours of the day.

TimeSlot1 ~ TimeSlot16:

It is a self defined time period. You may specify the time period to check the URL

filter rules, i.e. during working hours. For setup and detail, refer to

Time Schedule

section.

Keywords Filtering:

Allow blocking against specific keywords within a particular URL rather than having to specify a

complete URL (e.g. to block any image called “advertisement.gif”). When enabled, your specified keywords list will be

checked to see if any keywords are present in URLs accessed to determine if the connection attempt should be blocked.

Please note that the URL filter blocks web browser (HTTP) connection attempts using port 80 only.

For example, if the URL is

, the connection will be dropped if the keyword

“abcde” occurs in the URL.

Billion 810VGTX Router

Page | 69

Domains Filtering:

This function checks the whole URL address but not the IP address against your list of domains

to block or allow. If it is matched, the URL request will either be sent (Trusted) or dropped (Forbidden). For this function

to be activated, both the enable and disable checkboxes of Domain Filtering must be checked. Here is the checking

procedure:

1.

Check the domain in the URL to determine if it is in the trusted list. If yes, the connection attempt is sent to the

remote web server.

2.

If not, check if it is listed in the forbidden list. If yes, then the connection attempt will be dropped.

3.

If the packet does not match either of the above two conditions, it is sent to the remote web server.

4.

Please note that the completed URL, “www” + domain name should be specific. e.g.: In order to block traffic to

www.google.com.au

, enter “

www.google

” or “

www.google.com

”

In the example below, the URL request for

www.abc.com

will be sent to the remote web server because it is listed in

the trusted list, whilst the URL request for

www.google

or

www.google.com

will be dropped, because

www.google

is

in the forbidden list.

Example:

Andy wishes to disable all WEB traffic except for domains listed under the trusted domains, which would prevent Bobby

from accessing other websites. Andy selects both conditions in Domain Filtering thinking that this will stop Bobby. Bobby

knows the Domain Filtering function; it ONLY disables all WEB traffic to Trusted Domains, BUT not its IP address. If

this is the situation, the Block surfing by IP address function can be helpful. Now, Andy can successfully prevent Bobby

from accessing other websites.

Restrict URL Features

: This function enhances the restrictions to your URL rules.

Block Java Applet

: This function can block Web content that includes Java Applets. It prevents someone from

damaging your system via standard HTTP protocol.

Block surfing by IP address:

A further restriction against someone who uses IP addresses as a URL to cheat

the Domains Filtering rule. Only activates if Domain Filtering is enabled.