Page 236 / 428
Scroll up to view Page 231 - 235
SmartDefense Categories
222
Check Point ZoneAlarm User Guide
Checksum Verification
SmartDefense identifies any IP, TCP, or UDP packets with incorrect checksums. You can
configure how these packets should be handled.
Table 50: Checksum Verification Fields
In this field…
Do this…
Action
Specify what action to take when packets with incorrect checksums are
detected, by selecting one of the following:
•
Block.
Block the packets. This is the default.
•
None.
No action.
Track
Specify whether to log packets with incorrect checksums, by selecting one of
the following:
•
Log.
Log the packets.
•
None.
Do not log the packets. This is the default.
Page 237 / 428
SmartDefense Categories
Chapter 11: Using SmartDefense
223
TCP
This category allows you to configure various protections related to the TCP protocol. It
includes the following:
•
Flags
on page 229
•
Sequence Verifier
on page 228
•
Small PMTU
on page 224
•
Strict TCP
on page 223
•
SynDefender
on page 226
Strict TCP
Out-of-state TCP packets are SYN-ACK or data packets that arrive out of order, before the
TCP SYN packet.
Note:
In normal conditions, out-of-state TCP packets can occur after the ZoneAlarm
restarts, since connections which were established prior to the reboot are unknown.
This is normal and does not indicate an attack.
You can configure how out-of-state TCP packets should be handled.
Page 238 / 428
SmartDefense Categories
224
Check Point ZoneAlarm User Guide
Table 51: Strict TCP
In this field…
Do this…
Action
Specify what action to take when an out-of-state TCP packet arrives, by
selecting one of the following:
•
Block.
Block the packets.
•
None.
No action. This is the default.
Track
Specify whether to log null payload ping packets, by selecting one of the
following:
•
Log.
Log the packets. This is the default.
•
None.
Do not log the packets.
Small PMTU
Small PMTU (Packet MTU) is a bandwidth attack in which the client fools the server into
sending large amounts of data using small packets. Each packet has a large overhead that
creates a "bottleneck" on the server.
You can protect against this attack by specifying a minimum packet size for data sent over
the Internet.
Page 239 / 428
SmartDefense Categories
Chapter 11: Using SmartDefense
225
Table 52: Small PMTU Fields
In this field…
Do this…
Action
Specify what action to take when a packet is smaller than the
Minimal MTU
Size
threshold, by selecting one of the following:
•
Block.
Block the packet.
•
None.
No action. This is the default.
Track
Specify whether to issue logs for packets are smaller than the
Minimal MTU
Size
threshold, by selecting one of the following:
•
Log.
Issue logs. This is the default.
•
None.
Do not issue logs.
Minimal MTU
Size
Type the minimum value allowed for the MTU field in IP packets sent by a
client.
An overly small value will not prevent an attack, while an overly large value
might degrade performance and cause legitimate requests to be dropped.
The default value is 300.
Page 240 / 428
SmartDefense Categories
226
Check Point ZoneAlarm User Guide
SynDefender
In a SYN attack, the attacker sends many SYN packets without finishing the three-way
handshake. This causes the attacked host to be unable to accept new connections.
You can protect against this attack by specifying a maximum amount of time for
completing handshakes.
Table 53: SynDefender Fields
In this field…
Do this…
Action
Specify what action to take when a SYN attack occurs, by selecting one of
the following:
•
Block.
Block the packet. This is the default.
•
None.
No action.
A SYN attack is when more than 5 incomplete TCP handshakes are
detected within 10 seconds. A handshake is considered incomplete when it
exceeds the
Maximum time for completing the handshake
threshold.
Track
Specify whether to issue logs for the events specified by the
Log Mode
parameter, by selecting one of the following:
•
Log.
Issue logs. This is the default.
•
None.
Do not issue logs.