Manual Chapter :
Adjusting Global Settings
Applies To:
Show VersionsAdjusting Global Settings
Overview: Adjusting global settings
DDoS Hybrid Defender™ uses reasonable default settings for the global
system settings. Some environments may require adjustments to port numbers, allowed protocols, or
thresholds that signal an attack. For example, you may use a different DNS or SIP port number
from the one that is configured. In that case, you can change it.
Many of the thresholds indicate the value at which a packet, header, URI, or other setting is
considered too large, too small, or not typical. This does not necessarily indicate an attack. It
means that the value is unusual enough that you should take a look at what's happening on the
system. You may want to change the global settings because the traffic should be allowed and
should not cause alarm.
However, note that adjusting these settings should be needed only in rare cases. The changes
should be made only by an administrator familiar with the applications, servers, or other network
objects that DDoS Hybrid Defender is protecting.
Adjusting global settings
You can adjust global settings on DDoS Hybrid Defender™ if the
default values are not right for your environment.
- On the Main tab, click.
- Review the global settings to see if they are appropriate for your system.A reference table or the help describes the settings.
- Adjust the value of the setting you want to change.
- ClickUpdate.
The global settings are applied at the system level.
Global settings
reference table
You need to adjust the global settings only if something is not working correctly. For
example, if your systems use a DNS port other than 53.
Flow Eviction Policy
Setting | Default Value | What It Specifies |
---|---|---|
Trigger Thresholds | High water mark 95%; Low water mark 85% | Specifies a high and low water mark that is a percentage of the quota of flows
before flow eviction starts (high water mark) and ends (low water mark). |
Strategies | None | Specifies which traffic flows to drop as much as possible:
|
Slow Flow Detection |
| Enables the features and specifies what constitutes slow flows:
|
Ports & VLANS
Setting | Default Value | What It Specifies |
---|---|---|
UDP Port Inclusion/Exclusion List | Exclude | Specifies UDP ports to analyze for DDoS attacks
( Include ) or exclude from analysis
(Exclude ) for all protected objects. One at a time, type
the port number, select source and/or destination, and click
Add . |
DNS Port | 53 | Specifies which port to use for DNS traffic, if the default of 53 is not
correct. |
DNS VLAN | 0 | Specifies which VLAN should receive external DNS responses. The default is 0,
all VLANs. |
SIP Port | 5060 | Specifies which port to use for SIP traffic, if the default of 5060 is not
correct. |
Allowed Protocols & Options
Setting | Default Value | What It Specifies |
---|---|---|
Allowed non-Standard IP Protocols | Protocol 1 & 2: 255 | Specifies the protocol number of one or two IP protocols that the Unknown IP
Protocol DoS vector should treat as known (that is, ignored). Note: Though valid
values are 0-255, IP protocols 0-142 are already known by the vector so specifying
an IP protocol number in that range has no effect on the behavior of the vector. |
Allowed non-Standard ICMPv6 Types | Type 1 & 2: 158 | Specifies one or two additional ICMPv6 message types for the Unknown ICMPv6
Message Type vector to treat as known (that is, ignored). The allowed values are
0-254. However, ICMPv6 message types 0-132, 134, and 135 are already ignored by the
vector so specifying one of those message types has no effect on the behavior of the
vector. |
Allowed
non-Standard TCP Options | Type 1 & 2: 0 | Specifies one or two TCP option types for the Unknown TCP Option Type vector to
treat as known (that is, ignored). Though valid values are 0-255, option types 0-5,
8, 19-21, 30, 34, 128, and 254 are allowed and have no effect on the behavior of the
vector. |
Thresholds
Setting | Default Value | What It Specifies |
---|---|---|
IPv6 Single Endpoint Prefix Length | 128 | Specifies whether a single endpoint in IPv6 is /64 or /128 (or some other
prefix). |
IPv4 Low TTL | 1 | Defines the minimum acceptable value for TTL (time to live) in the IPv4 header.
|
IPv6 Low Hop Count | 1 | Specifies the minimum acceptable value for IPv6 Hop Count. |
Too Large DNS Packet | 4096 | Specifies the size at which a DNS packet is considered oversized. |
Too Large ICMPv4 Packet | 1480 | Specifies the size at which an ICMPv4 packet is considered oversized. |
Too Large ICMPv6 Packet | 1460 | Specifies the size at which an ICMPv6 packet is considered oversized. |
Too Large IPv6 Extension Header | 128 | Specifies the size at which an IPv6 Extension Header is considered
oversized. |
Too Many IPv6 Extension Headers | 4 | Specifies the number of IPv6 Extension Headers that are considered too
many. |
Too Long SIP URI | 1024 | Specifies the length at which a SIP URI is considered too long. |
Too Small TCP Window Size | 0 | Specifies the window size that is considered too small. |
Too Large TCP SYN Packet | 64 | Specifies the size at which a TCP SYN packet is considered oversized. |