Use the Attack Protection page to specify how to protect your network against common types of attacks including discovery, flooding, and echo storms.
1. Click Firewall > Attack Protection.
2. In the WAN Security Checks area, enter the following information:
• Block Ping WAN Interface: Check this box to prevent attackers from discovering your network through ICMP Echo (ping) requests. We recommend that you disable this feature only if you need to allow the security appliance to respond to pings for diagnostic purposes.
• Stealth Mode: Check this box to prevent the security appliance from responding to incoming connection requests from the WAN ports. In Stealth Mode, the security appliance does not respond to blocked inbound connection requests, and your network is less susceptible to discovery and attacks.
• Block TCP Flood: Check this box to drop all invalid TCP packets. This feature protects your network from a SYN flood attack, in which an attacker sends a succession of SYN (synchronize) requests to a target system. It blocks all TCP SYN flood attacks (more than 200 simultaneous TCP packets per second) from the WAN ports.
3. In the LAN Security Checks section, enter the following information:
• Block UDP Flood: Check this box to limit the number of simultaneous, active UDP connections from a single computer on the LAN. If you enable this feature, also enter the number of connections to allow per host per second. The default value is 500, and the valid range is from 100 to 10,000. When this limit is reached, the security appliance considers it a UDP flood attack and drops all connections from the host.
4. In the Firewall Settings area, enter the following information:
• Block ICMP Notification: Check this box to silently block without sending an ICMP notification to the sender. Some protocols, such as MTU Path Discovery, require ICMP notifications.
• Block Fragmented Packets: Check this box to block fragmented packets from Any zone to Any zone.
• Block Multicast Packets: Check this box to block multicast packets. By default, the firewall blocks all multicast packets. This feature has higher priority than the firewall rules, which indicates that the firewall rules that permit multicast traffic will be overridden if you enable this feature.
5. In the DoS Attacks area, enter the following information:
• SYN Flood Detect Rate: Enter the maximum number of SYN packets per second that will cause the security appliance to determine that a SYN Flood Intrusion is occurring. Enter a value from 0 to 65535 SYN packets per second. The default value is 128 SYN packets per seconds. A value of zero (0) indicates that the SYN Flood Detect feature is disabled.
• Echo Storm: Enter the number of pings per second that will cause the security appliance to determine that an echo storm intrusion event is occurring. Enter a value from 0 to 65535 ping packets per second. The default value is 15 ping packets per seconds. A value of zero (0) indicates that the Echo Storm feature is disabled.
• ICMP Flood: Enter the number of ICMP packets per second, including PING packets, that will cause the security appliance to determine that an ICMP flood intrusion event is occurring. Enter a value from 0 to 65535 ICMP packets per second. The default value is 100 ICMP packets per seconds. A value of zero (0) indicates that the ICMP Flood feature is disabled.
NOTE: When one of DoS attack levels is exceeded, that kind of traffic will be dropped.