Billion BiPAC-7404VGO Router Manual PDF (Setup & Configuration Guide)

Page 71 / 155 Scroll up to view Page 66 - 70

VoIP/(802.11g) ADSL2+ (VPN) Firewall Router

Chapter 4: Configuration

70

Intrusion Detection

The router’s

Intrusion Detection System

(IDS) is used to detect hacker attacks and intrusion attempts

from the Internet. If the IDS function of the firewall is enabled, inbound packets are filtered and blocked

depending on whether they are detected as possible hacker attacks, intrusion attempts or other

connections that the router determines to be suspicious.

Blacklist

: If the router detects a possible attack, the source IP or destination IP address will be added to

the Blacklist. Any further attempts using this IP address will be blocked for the time period specified as the

Block Duration

. The default setting for this function is false (disabled). Some attack types are denied

immediately without using the Blacklist function, such as

Land attack

and

Echo/CharGen scan

.

Intrusion Detection

: If enabled, IDS will block Smurf attack attempts. Default is false.

Block Duration:

~

Victim Protection Block Duration

: This is the duration for blocking

Smurf

attacks. Default

value is 600 seconds.

~

Scan Attack Block Duration

: This is the duration for blocking hosts that attempt a possible

Scan attack. Scan attack types include

X’mas scan, IMAP SYN/FIN scan

and similar attempts.

Default value is 86400 seconds.

~

DoS Attack Block Duration

: This is the duration for blocking hosts that attempt a possible

Denial of Service (DoS) attack. Possible DoS attacks this attempts to block include

Ascend Kill

and

WinNuke

. Default value is 1800 seconds.

Max TCP Open Handshaking Count

: This is a threshold value to decide whether a

SYN Flood

attempt

is occurring or not. Default value is 100 TCP SYN per seconds.

Max PING Count

: This is a threshold value to decide whether an

ICMP Echo Storm

is occurring or not.

Default value is 15 ICMP Echo Requests (PING) per second.

Max ICMP Count

: This is a threshold to decide whether an

ICMP flood

is occurring or not. Default value

is 100 ICMP packets per seconds except ICMP Echo Requests (PING).

For

SYN Flood

,

ICMP Echo Storm

and

ICMP flood

, IDS will just warn the user in the Event Log. It cannot

protect against such attacks.

Page 72 / 155

VoIP/(802.11g) ADSL2+ (VPN) Firewall Router

Chapter 4: Configuration

71

Table 2: Hacker attack types recognized by the IDS

Intrusion Name

Detect Parameter

Blacklist

Type of Block

Duration

Drop Packet Show Log

Ascend Kill

Ascend Kill data

Src IP

DoS

Yes

WinNuke

TCP

Port 135, 137~139,

Flag: URG

Src IP

DoS

Yes

Smurf

ICMP type 8

Des IP is broadcast

Dst IP

Victim

Protection

Yes

Land attack

SrcIP = DstIP

Yes

Echo/CharGen Scan

UDP Echo Port and

CharGen Port

Yes

Echo Scan

UDP

Dst

Port

=

Echo(7)

Src IP

Scan

Yes

CharGen Scan

UDP

Dst

Port

=

CharGen(19)

Src IP

Scan

Yes

X’mas Tree Scan

TCP Flag: X’mas

Src IP

Scan

Yes

IMAP

SYN/FIN Scan

TCP Flag: SYN/FIN

DstPort: IMAP(143)

SrcPort: 0 or 65535

Src IP

Scan

Yes

SYN/FIN/RST/ACK

Scan

TCP,

No Existing session

And

Scan

Hosts

more than five.

Src IP

Scan

Yes

Net Bus Scan

TCP

No Existing session

DstPort = Net Bus

12345,12346, 3456

SrcIP

Scan

Yes

Back Orifice Scan

UDP,

DstPort

=

Orifice Port (31337)

SrcIP

Scan

Yes

SYN Flood

Max

TCP

Open

Handshaking Count

(Default 100 c/sec)

Yes

ICMP Flood

Max

ICMP

Count

(Default 100 c/sec)

Yes

ICMP Echo

Max PING Count

(Default 15 c/sec)

Yes

Src IP

: Source IP

Src Port

: Source Port

Dst Port

: Destination Port

Dst IP

: Destination IP

Page 73 / 155

VoIP/(802.11g) ADSL2+ (VPN) Firewall Router

Chapter 4: Configuration

72

URL Filter

URL (Uniform Resource Locator – e.g. an address in the form of

http://www.abcde.com

or

http://www.example.com

) filter rules allow you to prevent users on your network from accessing particular

websites by their URL. There are no pre-defined URL filter rules; you can add filter rules to meet your

requirements.

Enable/Disable:

To enable or disable URL Filter feature.

Block Mode:

A list of the modes that you can choose to check the URL filter rules. The default is set to

Always On.

~

Disabled:

No action will be performed by the Block Mode.

~

Always On:

Action is enabled.

URL filter rules will be monitoring and checking at all hours of

the day.

~

TimeSlot1 ~ TimeSlot16:

It is self-defined time period.

You may specify the time period to

check the URL filter rules, i.e. during working hours. For setup and detail, refer to

Time

Schedule

section.

Keywords Filtering:

Allows blocking by specific keywords within a particular URL rather than having to

specify a complete URL (e.g. to block any image called “advertisement.gif”). When enabled, your

specified keywords list will be checked to see if any keywords are present in URLs accessed to determine

if the connection attempt should be blocked. Please note that the URL filter blocks web browser (HTTP)

connection attempts using port 80 only.

For example

, if the URL is

http://www.abc.com/abcde.html

, it will be dropped as the keyword “abcde”

occurs in the URL.

Domains Filtering:

This function checks the whole URL not the IP address, in URLs accessed against

your list of domains to block or allow.

If it is matched, the URL request will be sent (Trusted) or dropped

(Forbidden).

For this function to be activated, both check-boxes must be checked.

Here is the

checking procedure:

1.

Check the domain in the URL to determine if it is in the trusted list. If yes, the connection

attempt is sent to the remote web server.

2.

If not, check if it is listed in the forbidden list.

If yes, then the connection attempt will be

Page 74 / 155

VoIP/(802.11g) ADSL2+ (VPN) Firewall Router

Chapter 4: Configuration

73

dropped.

3.

If the packet does not match either of the above two items, it is sent to the remote web

server.

4.

Please be note that the completed URL, “www” + domain name shall be specified. For

example

to

block

traffic

to

www.google.com.au

,

enter

“

www.google

”

or

“

www.google.com

”

In the example below, the URL request for

www.abc.com

will be sent to the remote web server because it

is listed in the trusted list, whilst the URL request for

www.google

or

www.google.com

will be dropped,

because

www.google

is in the forbidden list.

Example:

Andy wishes to disable all WEB traffic except for ones listed in the trusted domain, which

would prevent Bobby from accessing other web sites.

Andy selects both functions in the

Domain

Filtering

and thinks that it will stop Bobby.

But Bobby knows this function,

Domain Filtering

, ONLY

disables all WEB traffic except for

Trusted Domain,

BUT not its

IP address.

If this is the situation,

Block surfing by IP address

function can be handy and helpful to Andy.

Now, Andy can prevent Bobby

from accessing other sites.

Restrict URL Features:

This function enhances the restriction to your URL rules.

~

Block Java Applet:

This function can block Web content that includes the Java Applet. It is to

prevent someone who wants to damage your system via standard HTTP protocol.

~

Block surfing by IP address:

Preventing someone who uses the IP address as URL for

skipping Domains Filtering function.

Activates only and if Domain Filtering enabled.

Page 75 / 155

VoIP/(802.11g) ADSL2+ (VPN) Firewall Router

Chapter 4: Configuration

74

IM / P2P Blocking

IM, short for Instant Message, is required to use client program software that allows users to

communicate, in exchanging text message, with other IM users in real time over the Internet.

A P2P

application, known as Peer-to-peer, is group of computer users who share file to specific groups of people

across the Internet.

Both Instant Message and Peer-to-peer applications make communication faster

and easier but your network can become increasingly insecure at the same time.

Billion’s IM and P2P

blocking helps users to restrict LAN PCs to access to the commonly used IM, Yahoo and MSN, and P2P,

BitTorrent and eDonkey, applications over the Internet.

Instant Message Blocking:

The default is set to

Disabled.

~

Disabled:

Instant Message blocking is not triggered. No action will be performed.

~

Always On:

Action is enabled.

~

TimeSlot1 ~ TimeSlot16:

This is the self-defined time period.

You may specify the time

period to trigger the blocking, i.e. during working hours. For setup and detail, refer to

Time Schedule

section.

Yahoo/MSN Messenger:

Check the box to block either or both Yahoo or/and MSN Messenger.

To be

sure you enabled

the

Instant Message Blocking

first.

Peer to Peer Blocking:

The default is set to

Disabled.

~

Disabled:

Instant Message blocking is not triggered. No action will be performed.

~

Always On:

Action is enabled.

~

TimeSlot1 ~ TimeSlot16:

This is the self-defined time period.

You may specify the time

period to trigger the blocking, i.e. during working hours. For setup and detail, refer to

Time Schedule

section.

BitTorrent / eDonkey:

Check the box to block either or both Bit Torrent or/and eDonkey.

To be sure you

enabled

the

Peer to Peer Blocking

first.

Rate

Popular Billion Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share