Page 231 / 428
Scroll up to view Page 226 - 230
SmartDefense Categories
Chapter 11: Using SmartDefense
217
Network Quota
An attacker may try to overload a server in your network by establishing a very large
number of connections per second. To protect against Denial Of Service (DoS) attacks,
Network Quota enforces a limit upon the number of connections per second that are
allowed from the same source IP address.
You can configure how connections that exceed that limit should be handled.
Table 46: Network Quota Fields
In this field…
Do this…
Action
Specify what action to take when the number of network connections
from the same source reaches the
Max. Connections/Second per Source IP
threshold. Select one of the following:
•
Block.
Block all new connections from the source. Existing
connections will not be blocked. This is the default.
•
None.
No action.
Track
Specify whether to log connections from a specific source that exceed
the
Max. Connections/Second per Source IP
threshold, by selecting one of
the following:
•
Log.
Log the connections. This is the default.
•
None.
Do not log the connections.
Page 232 / 428
SmartDefense Categories
218
Check Point ZoneAlarm User Guide
In this field…
Do this…
Max.
Connections/Second
from Same Source IP
Type the maximum number of network connections allowed per second
from the same source IP address.
The default value is 100.
Set a lower threshold for stronger protection against DoS attacks.
Note:
Setting this value too low can lead to false alarms.
Welchia
The Welchia worm uses the MS DCOM vulnerability or a WebDAV vulnerability. After
infecting a computer, the worm begins searching for other live computers to infect. It does
so by sending a specific ping packet to a target and waiting for the reply that signals that
the target is alive. This flood of pings may disrupt network connectivity.
You can configure how the Welchia worm should be handled.
Page 233 / 428
SmartDefense Categories
Chapter 11: Using SmartDefense
219
Table 47: Welchia Fields
In this field…
Do this…
Action
Specify what action to take when the Welchia worm is detected, by selecting
one of the following:
•
Block.
Block the attack. This is the default.
•
None.
No action.
Track
Specify whether to log Welchia worm attacks, by selecting one of the
following:
•
Log.
Log the attack. This is the default.
•
None.
Do not log the attack.
Cisco IOS DOS
Cisco routers are configured to process and accept Internet Protocol version 4 (IPv4)
packets by default. When a Cisco IOS device is sent a specially crafted sequence of IPv4
packets (with protocol type 53 - SWIPE, 55 - IP Mobility, 77 - Sun ND, or 103 - Protocol
Independent Multicast - PIM), the router will stop processing inbound traffic on that
interface.
You can configure how Cisco IOS DOS attacks should be handled.
Page 234 / 428
SmartDefense Categories
220
Check Point ZoneAlarm User Guide
Table 48: Cisco IOS DOS
In this field…
Do this…
Action
Specify what action to take when a Cisco IOS DOS attack occurs,
by selecting one of the following:
•
Block.
Block the attack. This is the default.
•
None.
No action.
Track
Specify whether to log Cisco IOS DOS attacks, by selecting one of
the following:
•
Log.
Log the attack. This is the default.
•
None.
Do not log the attack.
Number of Hops to Protect
Type the number of hops from the enforcement module that Cisco
routers should be protected.
The default value is 10.
Action Protection for
SWIPE - Protocol 53 /
IP Mobility - Protocol 55 /
SUN-ND - Protocol 77 /
PIM - Protocol 103
Specify what action to take when an IPv4 packet of the specific
protocol type is received, by selecting one of the following:
•
Block.
Drop the packet. This is the default.
•
None.
No action.
Page 235 / 428
SmartDefense Categories
Chapter 11: Using SmartDefense
221
Null Payload
Some worms, such as Sasser, use ICMP echo request packets with null payload to detect
potentially vulnerable hosts.
You can configure how null payload ping packets should be handled.
Table 49: Null Payload Fields
In this field…
Do this…
Action
Specify what action to take when null payload ping packets are detected, by
selecting one of the following:
•
Block.
Block the packets. This is the default.
•
None.
No action.
Track
Specify whether to log null payload ping packets, by selecting one of the
following:
•
Log.
Log the packets. This is the default.
•
None.
Do not log the packets.
19216811.live