Billion BiPaC-7402NX Router Manual PDF (Setup & Configuration Guide)

Page 101 / 165 Scroll up to view Page 96 - 100

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Chapter 4: Configuration

97

Intrusion Detection

The router’s

Intrusion Detection System

(IDS) is used to detect hacker attacks and intrusion attempts

from the Internet. If the IDS function of the firewall is enabled, inbound packets are filtered and blocked

depending on whether they are detected as possible hacker attacks, intrusion attempts or other

connections that the router determines to be suspicious.

Blacklist

: If the router detects a possible attack, the source IP or destination IP address will be added to

the Blacklist. Any further attempts using this IP address will be blocked for the time period specified as the

Block Duration

. The default setting for this function is false (disabled). Some attack types are denied

immediately without using the Blacklist function, such as

Land attack

and

Echo/CharGen scan

.

Intrusion Detection

: If enabled, IDS will block Smurf attack attempts. Default is false.

Block Duration:



Victim Protection Block Duration

: This is the duration for blocking

Smurf

attacks. Default

value is 600 seconds.



Scan Attack Block Duration

: This is the duration for blocking hosts that attempt a possible

Scan attack. Scan attack types include

X’mas scan, IMAP SYN/FIN scan

and similar attempts.

Default value is 86400 seconds.



DoS Attack Block Duration

: This is the duration for blocking hosts that attempt a possible

Denial of Service (DoS) attack. Possible DoS attacks this attempts to block include

Ascend Kill

and

WinNuke

. Default value is 1800 seconds.

Max TCP Open Handshaking Count

: This is a threshold value to decide whether a

SYN Flood

attempt

is occurring or not. Default value is 100 TCP SYN per seconds.

Max PING Count

: This is a threshold value to decide whether an

ICMP Echo Storm

is occurring or not.

Default value is 15 ICMP Echo Requests (PING) per second.

Max ICMP Count

: This is a threshold to decide whether an

ICMP flood

is occurring or not. Default value

is 100 ICMP packets per seconds except ICMP Echo Requests (PING).

Clear Blacklist:

Clear the current blacklist.

Blacklist:

Show the blacklist information.

For

SYN Flood

,

ICMP Echo Storm

and

ICMP flood

, IDS will just warn the user in the Event Log. It cannot

protect against such attacks.

Page 102 / 165

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Chapter 4: Configuration

98

Table 2: Hacker attack types recognized by the IDS

Intrusion Name

Detect Parameter

Blacklist

Type of Block

Duration

Drop Packet Show Log

Ascend Kill

Ascend Kill data

Src IP

DoS

Yes

WinNuke

TCP

Port 135, 137~139,

Flag: URG

Src IP

DoS

Yes

Smurf

ICMP type 8

Des IP is broadcast

Dst IP

Victim

Protection

Yes

Land attack

SrcIP = DstIP

Yes

Echo/CharGen Scan

UDP Echo Port and

CharGen Port

Yes

Echo Scan

UDP

Dst

Port

=

Echo(7)

Src IP

Scan

Yes

CharGen Scan

UDP

Dst

Port

=

CharGen(19)

Src IP

Scan

Yes

X’mas Tree Scan

TCP Flag: X’mas

Src IP

Scan

Yes

IMAP

SYN/FIN Scan

TCP Flag: SYN/FIN

DstPort: IMAP(143)

SrcPort: 0 or 65535

Src IP

Scan

Yes

SYN/FIN/RST/ACK

Scan

TCP,

No Existing session

And

Scan

Hosts

more than five.

Src IP

Scan

Yes

Net Bus Scan

TCP

No Existing session

DstPort = Net Bus

12345,12346, 3456

SrcIP

Scan

Yes

Back Orifice Scan

UDP,

DstPort

=

Orifice Port (31337)

SrcIP

Scan

Yes

SYN Flood

Max

TCP

Open

Handshaking Count

(Default 100 c/sec)

Yes

ICMP Flood

Max

ICMP

Count

(Default 100 c/sec)

Yes

ICMP Echo

Max PING Count

(Default 15 c/sec)

Yes

Src IP

: Source IP

Src Port

: Source Port

Dst Port

: Destination Port

Dst IP

: Destination IP

Page 103 / 165

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Chapter 4: Configuration

99

URL Filter

URL (Uniform Resource Locator – e.g. an address in the form of

http://www.abcde.com

or

http://www.example.com

) filter rules allow you to prevent users on your network from accessing particular

websites by their URL. There are no pre-defined URL filter rules; you can add filter rules to meet your

requirements.

Enable/Disable:

To enable or disable URL Filter feature.

Block Mode:

It can support up to 4 timeslots.

Disabled:

No action will be performed by the Block Mode.

Always On:

Action is enabled. URL filter rules will be monitoring and checking all hours of the

day.

TimeSlot1 ~ TimeSlot16:

It is self-defined time period. You may specify the time period

to

check the URL filter rules, i.e. during working hours. For setup and detail, refer to

Time

Schedule

section.

Keywords Filtering:

Allows blocking by specific keywords within a particular URL rather than having to

specify a complete URL (e.g. to block any image called “advertisement.gif”). When enabled, your

specified keywords list will be checked to see if any keywords are present in URLs accessed to determine

if the connection attempt should be blocked. Please note that the URL filter blocks web browser (HTTP)

connection attempts using port 80 only.

For example

, if the URL is

http://www.abc.com/abcde.html

, it will be dropped as the keyword “abcde”

occurs in the URL.

Page 104 / 165

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Chapter 4: Configuration

100

Domains Filtering:

This function checks the whole URL not the IP address, in URLs accessed against

your list of domains to block or allow.

If it is matched, the URL request will be sent (Trusted) or dropped

(Forbidden).

For this function to be activated, both check-boxes must be checked.

Here is the

checking procedure:

1.

Check the domain in the URL to determine if it is in the trusted list. If yes, the connection attempt

is sent to the remote web server.

2. If not, check if it is listed in the forbidden list.

If yes, then the connection attempt will be

dropped.

3.

If the packet does not match either of the above two items, it is sent to the remote web server.

4.

Please be note that the completed URL, “www” + domain name shall be specified. For example

to block traffic to

www.google.com.au

, enter “

www.google

” or “

www.google.com

”

In the example below, the URL request for

www.abc.com

will be sent to the remote web server because it

is listed in the trusted list, whilst the URL request for

www.google

or

www.google.com

will be dropped,

because

www.google

is in the forbidden list.

Page 105 / 165

Billion BiPAC 7402NX(L) 802.11n 3G/ADSL2+ (VPN) Firewall Router

Chapter 4: Configuration

101

Example:

Andy wishes to disable all WEB traffic except for ones listed in the trusted domain, which

would prevent Bobby from accessing other web sites.

Andy selects both functions in the

Domain

Filtering

and thinks that it will stop Bobby.

But Bobby knows this function,

Domain Filtering

, ONLY

disables all WEB traffic except for

Trusted Domain,

BUT not its

IP address.

If this is the situation,

Block surfing by IP address

function can be handy and helpful to Andy.

Now, Andy can prevent Bobby

from accessing other sites.

Restrict URL Features:

This function enhances the restriction to your URL rules.



Block Java Applet:

This function can block Web content that includes the Java Applet. It is to

prevent someone who wants to damage your system via standard HTTP protocol.



Block surfing by IP address:

Preventing someone who uses the IP address as URL for

skipping Domains Filtering function.

Activates only and if Domain Filtering enabled.

Rate

Popular Billion Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share