Router User’s Guide

Monitoring Network Health

ADS

The firewall provides an advanced Attack Detection System (ADS) that may be used to detect and

identify various types of attacks initiated on the Wide Area Network (WAN). The system has the capability

to detect such attacks the moment they start and to protect the Local Area Network (LAN) from such

attacks.

If the Attack Detection System is enabled, the SpeedStream Router provides protection against the most

common hacker attacks that attempt to access your computer/network from the Internet. Intrusion

attempts can also be logged to provide a record of attempts and their source (when available).

To enable and configure the attack detection feature:

1. Select

Setup>Firewall>ADS

from the left navigation pane of the Web interface. This displays the

“Firewall Attack Detection System” window.

2. Select

Enable Attack Detection

.

3. Select the

Filter

checkbox for each event in the list you want to filter or, if you want to filter all events,

select the

Filter All

checkbox. This provides maximum protection against malicious intrusion from

outside your network.

4. Select the

Log

checkbox for each event in the list you want to log or, if you want to log all events,

select the

Log All

checkbox. When logging is selected for a particular offending packet, the ADS will

write an entry to the firewall log once a minute for as long as the attack persists. This shows that a

long-term attack is taking place without completely filling up the firewall log with entries for every

single packet.

5. Click

Apply

.

Below is a description of each event that can be monitored.

•

Same Source and Destination Address

An outside device can send a SYN (synchronize) packet to a host with the same source and

destination address (including port) causing the system to hang. When the receiving host tries to

respond to the source address in the packet, it ends up just sending it back to itself. This packet could

ping-pong back and forth over 200 times (consuming CPU resources) before being discarded.

•

Broadcast Source Address

An outside device can send a ping to your Router broadcast address using a forged source address.

When your system responds to these pings, it is brought down by echo replies.

53

Router User’s Guide

Monitoring Network Health

•

LAN Source Address on LAN

An outside device can send a forged source address in an incoming IP packet to block trace back.

•

Invalid IP Packet Fragment

An outside device can send fragmented data packets that can bring down your system.

IP packets can

be fairly large in size. If a link between two hosts transporting a packet can only handle smaller

packets, the large packet may be split (or fragmented) into smaller ones. When the packet fragments

get to the destination host, they must be reassembled into the original large packet like pieces of a

puzzle. A specially crafted invalid fragment can cause the host to crash

•

TCP NULL

An outside device can send an IP packet with the protocol field set to TCP but with an all null TCP

header and data section. If your Router responds to this attack, it will bring down your system.

•

TCP FIN

An outside device can send an attack using TCP FIN. This attack never allows a data packet to finish

transmitting and brings down your system.

•

TCP XMAS

An outside device can send an attack using TCP packets with all the flags set. This causes your

system to slow to a halt.

•

Fragmented TCP Packet

An outside device can send an attack using fragmented packets to allow an outside user Telnet

access to a device on your network.

•

Fragmented TCP Header

An outside device can send an attack using TCP packets with only a header and no payload. When

numerous packets are sent through the Router in this manner, your system slows and halts.

•

Fragmented UDP Header

An outside device can send an attack using fragmented UDP headers to bring down a device on your

network.

•

Fragmented ICMP Header

An outside device can send an attack using fragmented ICMP headers to bring down a device on your

network.

•

Inconsistent UDP/IP header lengths

An outside device can send an attack using inconsistent UDP/IP headers to bring down a device on

your network.

•

Inconsistent IP header lengths

An outside device can send an attack using changes in the IP header to zero the fragment offset field.

This will be treated as a complete packet when received and cause your system to halt.

54

Router User’s Guide

55

Chapter 9

Monitoring Router Health

This chapter describes how to monitor the health of the Router.

The Router health options listed below are used to gauge the Router’s health.

Status and Statistics

View Internet, home networking, security statistics, system and firewall

log files.

Diagnostics

Run a diagnostic program against a selected connection on your Router.

Tools

Reset, reboot, or update firmware.

Status and Statistics

You can display statistics for the Internet, Home Networking, Security, and Logging.

System Summary

Basic descriptive information that identifies the router.

System Log

Displays a record of all system activity, including what actions were

performed, what packets were dropped and what packets were

forwarded.

ATM/AAL

Displays status information about the ATM connection.

DSL

Displays status information about the DSL connection.

Ethernet

Displays status information about the Ethernet connection.

USB

Displays status information about the USB connection.

Routes

Displays status information about the current routing table.

9

Router User’s Guide

Monitoring Network Health

System Summary

The “System Summary” window provides basic descriptive information that identifies the router, system

type, current software and firmware versions, the MAC address (unique device identifier), and the status

of currently configured connections.

Connection information includes the identification and current status of configured point-to-point (PPP)

and static connections. Select

Status and Statistics>System Summary

from the left navigation pane of

the Web interface to view this information.

System Log

The “System Log” window displays a record of all system activity, including what actions were performed,

what packets were dropped and what packets were forwarded. This information allows you to make

informed decisions about the need to add new filter rules.

The System Log contains a maximum of 200 entries; each entry may contain a maximum of 200

characters. Select

Status and Statistics>System Log

from the left navigation pane of the Web interface

to view the “System Log” window.

•

To update the display, click

Refresh

.

•

To clear the log, click

Clear Log

.

•

To change the events displayed in the log, modify the

Log Display Options

, then click

Apply

.

56

Router User’s Guide

Monitoring Network Health

ATM Statistics

View status and statistical information for the

WAN-side Asynchronous Transfer Mode (ATM)

network connection. WAN-side connection to

the service provider is based on an

Asynchronous Transfer Mode (ATM) network

connection. In addition, statistical information is

provided for each Virtual Circuit (VC)

configured under the ATM Adaptation Layer

(AAL).

Select

Status and Statistics>ATM/AAL

from

the left navigation pane of the Web interface to

view ATM/AAL statistics. This window displays

ATM connection status, uptime, and

transmit/receive data, VPI/VCIs and related

data for each circuit

DSL Statistics

View status and statistical information for the

Digital Subscriber Line (DSL) when the

physical WAN-side connection to the service

provider is achieved through a DSL line.

Statistical information is accumulated over

periodic intervals and may be displayed for up

to a 24 hour period.

Select

Status

and Statistics>DSL

from the left

navigation pane of the Web interface to view

DSL statistics. This displays information about

the DSL connection.

57