DrayTek Vigor 2830 Router Manual PDF (Setup & Configuration Guide)

Page 166 / 357 Scroll up to view Page 161 - 165

Vigor2830 Series User’s Guide

154

will be. However, if the network is not stable, small value will

be proper.

Session timeout

–Setting timeout for sessions can make the

best utilization of network resources. However, Queue timeout

is configured for TCP protocol only; session timeout is

configured for the data flow which matched with the firewall

rule.

DrayTek Banner

– Please uncheck this box and the following

screen will not be shown for the unreachable web page. The

default setting is Enabled.

Strict Security Checking

- All the packets, while transmitting

through Vigor router, will be filtered by firewall settings

configured by Vigor router if Strict Security Firewall is

enabled. If the firewall system does not have any response

(pass or block) for these packets, such as no response coming

from Anti-Spam server, then the router’s firewall will block

the packets directly.

In addition, you can restrict the strict security checking just be

done by specified server and conditions such as Anti-Virus,

Anti-Spam, In-Sequence and APP Enforcement. Thus, the

packets not only must be filtered by general rules by Firewall,

but also must be filtered by the items selected in Strict

Security Checking. Such work can ensure the data security

transferring via network.

APP Enforcement

– Check this box to execute the critical

checking for all the files transferred via IM/P2P.

Page 167 / 357

Vigor2830 Series User’s Guide

155

Example

As stated before, all the traffic will be separated and arbitrated using on of two IP filters: call

filter or data filter. You may preset 12 call filters and data filters in

Filter Setup

and even link

them in a serial manner. Each filter set is composed by 7 filter rules, which can be further

defined. After that, in

General Setup

you may specify one set for call filter and one set for

data filter to execute first.

Page 168 / 357

Vigor2830 Series User’s Guide

156

4.4.4 DoS Defense

As a sub-functionality of IP Filter/Firewall, there are 15 types of detect/ defense function in

the

DoS Defense

setup. The DoS Defense functionality is disabled for default.

Click

Firewall

and click

DoS Defense

to open the setup page.

Enable Dos Defense

Check the box to activate the DoS Defense Functionality.

Select All

Click this button to select all the items listed below.

Enable SYN flood defense

Check the box to activate the SYN flood defense function.

Once detecting the Threshold of the TCP SYN packets from

the Internet has exceeded the defined value, the Vigor router

will start to randomly discard the subsequent TCP SYN

packets for a period defined in Timeout. The goal for this is

prevent the TCP SYN packets’ attempt to exhaust the

limited-resource of Vigor router. By default, the threshold and

timeout values are set to 50 packets per second and 10

seconds, respectively.

Enable UDP flood

defense

Check the box to activate the UDP flood defense function.

Once detecting the Threshold of the UDP packets from the

Internet has exceeded the defined value, the Vigor router will

start to randomly discard the subsequent UDP packets for a

period defined in Timeout. The default setting for threshold

and timeout are 150 packets per second and 10 seconds,

respectively.

Enable ICMP flood

defense

Check the box to activate the ICMP flood defense function.

Similar to the UDP flood defense function, once if the

Threshold of ICMP packets from Internet has exceeded the

defined value, the router will discard the ICMP echo requests

Page 169 / 357

Vigor2830 Series User’s Guide

157

coming from the Internet. The default setting for threshold and

timeout are 50 packets per second and 10 seconds, respectively.

Enable PortScan

detection

Port Scan attacks the Vigor router by sending lots of packets to

many ports in an attempt to find ignorant services would

respond. Check the box to activate the Port Scan detection.

Whenever detecting this malicious exploration behavior by

monitoring the port-scanning Threshold rate, the Vigor router

will send out a warning. By default, the Vigor router sets the

threshold as 150 packets per second.

Block IP options

Check the box to activate the Block IP options function. The

Vigor router will ignore any IP packets with IP option field in

the datagram header. The reason for limitation is IP option

appears to be a vulnerability of the security for the LAN

because it will carry significant information, such as security,

TCC (closed user group) parameters, a series of Internet

addresses, routing messages...etc. An eavesdropper outside

might learn the details of your private networks.

Block Land

Check the box to enforce the Vigor router to defense the Land

attacks. The Land attack combines the SYN attack technology

with IP spoofing. A Land attack occurs when an attacker sends

spoofed SYN packets with the identical source and destination

addresses, as well as the port number to victims.

Block Smurf

Check the box to activate the Block Smurf function. The Vigor

router will ignore any broadcasting ICMP echo request.

Block trace router

Check the box to enforce the Vigor router not to forward any

trace route packets.

Block SYN fragment

Check the box to activate the Block SYN fragment function.

The Vigor router will drop any packets having SYN flag and

more fragment bit set.

Block Fraggle Attack

Check the box to activate the Block fraggle Attack function.

Any broadcast UDP packets received from the Internet is

blocked.

Activating the DoS/DDoS defense functionality might block

some legal packets. For example, when you activate the

fraggle attack defense, all broadcast UDP packets coming

from the Internet are blocked. Therefore, the RIP packets from

the Internet might be dropped.

Block TCP flag scan

Check the box to activate the Block TCP flag scan function.

Any TCP packet with anomaly flag setting is dropped. Those

scanning activities include

no flag scan

,

FIN without ACK

scan

,

SYN FINscan

,

Xmas scan

and

full Xmas scan

.

Block Tear Drop

Check the box to activate the Block Tear Drop function. Many

machines may crash when receiving ICMP datagrams (packets)

that exceed the maximum length. To avoid this type of attack,

the Vigor router is designed to be capable of discarding any

fragmented ICMP packets with a length greater than 1024

octets.

Block Ping of Death

Check the box to activate the Block Ping of Death function.

This attack involves the perpetrator sending overlapping

packets to the target hosts so that those target hosts will hang

Page 170 / 357

Vigor2830 Series User’s Guide

158

once they re-construct the packets. The Vigor routers will

block any packets realizing this attacking activity.

Block ICMP Fragment

Check the box to activate the Block ICMP fragment function.

Any ICMP packets with more fragment bit set are dropped.

Block Unknown Protocol

Check the box to activate the Block Unknown Protocol

function. Individual IP packet has a protocol field in the

datagram header to indicate the protocol type running over the

upper layer. However, the protocol types greater than 100 are

reserved and undefined at this time. Therefore, the router

should have ability to detect and reject this kind of packets.

Warning Messages

We provide Syslog function for user to retrieve message from

Vigor router. The user, as a Syslog Server, shall receive the

report sending from Vigor router which is a Syslog Client.

All the warning messages related to

DoS Defense

will be sent

to user and user can review it through Syslog daemon. Look for

the keyword

DoS

in the message, followed by a name to

indicate what kind of attacks is detected.

Rate

Popular DrayTek Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share