DrayTek Vigor-2900V Router Manual PDF (Setup & Configuration Guide)

Home

Manuals

DrayTek

Vigor-2900V

Page 86 / 173 Scroll up to view Page 81 - 85

Vigor2900 Series User’s Guide

Call Filter

Check

Enable

to activate the Call Filter function. Assign a start filter

set for the Call Filter.

Data Filter

Check

Enable

to activate the Data Filter function. Assign a start filter

set for the Data Filter.

Log Flag

For troubleshooting needs you can specify the filter log here.

None -

The log function is not activated.

Block -

All blocked packets will be logged.

Pass -

All passed packets will be logged.

No Match -

The log function will record all packets that are not

matched.

Note that the filter log will be displayed on the Telnet terminal when

you type the

log -f

command.

Time Schedule

Specify what time should perform the IP filtering facility.

Some on-line games (for example: Half Life) will use lots of fragmented UDP packets to

transfer game data. Instinctively as a secure firewall, Vigor router will reject these fragmented

packets to prevent attack unless you enable

Accept Incoming Fragmented UDP Packets

. By

checking this box, you can play these kinds of on-line games. If security concern is in higher

priority, you cannot enable

Accept Incoming Fragmented UDP Packets

3.7.3 MAC Address Control

Choose

IP Filter/Firewall Setup

on the

Advanced Setup

group and click the

MAC Address

Control

link.

Page 87 / 173

Vigor2900 Series User’s Guide

Active

Check this box to invoke this setting.

MAC Address

Type in the MAC Address of the device that the router connects to.

Pass Scheduler (1..15)

Let

the device with the specific MAC address to be passed within

certain time interval only. You may choose up to 4 schedules out of

the 15 schedules pre-defined in

Call Schedule Setup

Advanced

Setup group

setup.

If the four boxes are left blank, that means the traffic for the MAC

address is “always pass”. If only one disabled schedule typed in the

box, it means the related MAC address will be always blocked.

For hosts not listed in

this table

This setting allows you to set for all other hosts that not listed in

the above table to be passed or be blocked in certain time. Again,

please choose four schedules from Call Schedule Setup.

3.7.4 DoS Defense

As a sub-functionality of IP Filter/Firewall, there are 15 types of detect/ defense function in

the

DoS Defense

setup. The DoS Defense functionality is disabled for default.

Choose

IP Filter/Firewall Setup

on the

Advanced Setup

group and click the

DoS Defense

link.

Page 88 / 173

Vigor2900 Series User’s Guide

Enable Dos Defense

Check the box to activate the DoS Defense Functionality.

Enable SYN flood

defense

Check the box to activate the SYN flood defense function. Once

detecting the Threshold of the TCP SYN packets has exceeded the

defined value, the Vigor router will start to discard the subsequent

TCP SYN packets for a period defined in Timeout. The goal for

this is prevent the TCP SYN packets’ attempt to exhaust the

limited-resource of Vigor router. By default, the threshold and

timeout values are set to 50 packets per second and 10 seconds,

respectively.

Enable UDP flood

defense

Check the box to activate the UDP flood defense function. Once

detecting the Threshold of the UDP packets has exceeded the

defined value, the Vigor router will start to discard the subsequent

UDP packets for a period defined in Timeout. The default setting

for threshold and timeout are 150 packets per second and 10

seconds, respectively.

Enable ICMP flood

defense

Check the box to activate the ICMP flood defense function. Similar

to the UDP flood defense function, once if the Threshold of ICMP

packets has exceeded the defined value, the router will discard the

ICMP echo requests coming from the Internet. The default setting

for threshold and timeout are 50 packets per second and 10 seconds,

respectively.

Enable PortScan

detection

Port Scan attacks the Vigor router by sending lots of packets to

many ports in an attempt to find ignorant services would respond.

Check the box to activate the Port Scan detection. Whenever

detecting this malicious exploration behavior by monitoring the

port-scanning Threshold rate, the Vigor router will send out a

warning. By default, the Vigor router sets the threshold as 150

packets per second.

Block IP options

Check the box to activate the Block IP options function. The Vigor

router will ignore any IP packets with IP option field in the datagram

Page 89 / 173

Vigor2900 Series User’s Guide

header. The reason for limitation is IP option appears to be a

vulnerability of the security for the LAN because it will carry

significant information, such as security, TCC (closed user group)

parameters, a series of Internet addresses, routing messages...etc. An

eavesdropper outside might learn the details of your private

networks.

Block Land

Check the box to enforce the Vigor router to defense the Land

attacks. The Land attack combines the SYN attack technology with

IP spoofing. A Land attack occurs when an attacker sends spoofed

SYN packets with the identical source and destination addresses, as

well as the port number to victims.

Block Smurf

Check the box to activate the Block Smurf function. The Vigor router

will ignore any broadcasting ICMP echo request.

Block trace router

Check the box to enforce the Vigor router not to forward any trace

route packets.

Block SYN fragment

Check the box to activate the Block SYN fragment function. The

Vigor router will drop any packets having SYN flag and more

fragment bit set.

Block Fraggle Attack

Check the box to activate the Block fraggle Attack function. Any

broadcast UDP packets received from the Internet is blocked.

Activating the DoS/DDoS defense functionality might block some

legal packets. For example, when you activate the fraggle attack

defense, all broadcast UDP packets coming from the Internet are

blocked. Therefore, the RIP packets from the Internet might be

dropped.

Block TCP flag scan

Check the box to activate the Block TCP flag scan function. Any TCP

packet with anomaly flag setting is dropped. Those scanning activities

include

no flag scan

FIN without ACK scan

SYN FINscan

Xmas

scan

and

full Xmas scan

Block Tear Drop

Check the box to activate the Block Tear Drop function. Many

machines may crash when receiving ICMP datagrams (packets) that

exceed the maximum length. To avoid this type of attack, the Vigor

router is designed to be capable of discarding any fragmented ICMP

packets with a length greater than 1024 octets.

Block Ping of Death

Check the box to activate the Block Ping of Death function. This

attack involves the perpetrator sending overlapping packets to the

target hosts so that those target hosts will hang once they

re-construct the packets. The Vigor routers will block any packets

realizing this attacking activity.

Block ICMP Fragment

Check the box to activate the Block ICMP fragment function. Any

ICMP packets with more fragment bit set are dropped.

Block Land

Check the box to enforce the Vigor router to defense the Land

attacks. The Land attack combines the SYN attack technology with

IP spoofing. A Land attack occurs when an attacker sends spoofed

SYN packets with the identical source and destination addresses, as

well as the port number to victims.

Block Unknown

Protocol

Check the box to activate the Block Unknown Protocol function.

Individual IP packet has a protocol field in the datagram header to

indicate the protocol type running over the upper layer. However,

Page 90 / 173

Vigor2900 Series User’s Guide

the protocol types greater than 100 are reserved and undefined at

this time. Therefore, the router should have ability to detect and

reject this kind of packets.

Warning Messages

We provide Syslog function for user to retrieve message from Vigor

router. The user, as a Syslog Server, shall receive the report sending

from Vigor router which is a Syslog Client.

All the warning messages related to

DoS defense

will be sent to user

and user can review it through Syslog daemon. Look for the keyword

DoS

in the message, followed by a name to indicate what kind of

attacks is detected.

3.7.5 URL Content Filter

Based on the list of user defined keywords, the

URL Content Filter

facility in Vigor router

inspects the URL string in every outgoing HTTP request. No matter the URL string is found

full or partial matched with a keyword, the Vigor router will block the associated HTTP

connection.

For example, if you add key words such as “sex”, Vigor router will limit web access to web

sites or web pages such as “www.sex.com”, ”www.backdoor.net/images/sex/p_386.html”. Or

you may simply specify the full or partial URL such as “www.sex.com” or “sex.com”.

Also the Vigor router will discard any request that tries to retrieve the malicious code.

Choose

IP Filter/Firewall Setup

on the

Advanced Setup

group and click the

URL Content

Filter

link.

Rate

Popular DrayTek Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share