Manual Chapter : Adjusting Global Settings

Applies To:

Show Versions Show Versions
Manual Chapter

Adjusting Global Settings

Overview: Adjusting global settings

DDoS Hybrid Defender uses reasonable default settings for the global system settings. Some environments may require adjustments to port numbers, allowed protocols, or thresholds that signal an attack. For example, you may use a different DNS or SIP port number from the one that is configured. In that case, you can change it.
Many of the thresholds indicate the value at which a packet, header, URI, or other setting is considered too large, too small, or not typical. This does not necessarily indicate an attack. It means that the value is unusual enough that you should take a look at what's happening on the system. You may want to change the global settings because the traffic should be allowed and should not cause alarm.
However, note that adjusting these settings should be needed only in rare cases. The changes should be made only by an administrator familiar with the applications, servers, or other network objects that DDoS Hybrid Defender is protecting.

Adjusting global settings

You can adjust global settings on DDoS Hybrid Defender if the default values are not right for your environment.
  1. On the Main tab, click
    DoS Setup
    Global
    .
  2. Review the global settings to see if they are appropriate for your system.
    A reference table or the help describes the settings.
  3. Adjust the value of the setting you want to change.
  4. Click
    Update
    .
The global settings are applied at the system level.

Global settings reference table

You need to adjust the global settings only if something is not working correctly. For example, if your systems use a DNS port other than 53.

Flow Eviction Policy

Setting
Default Value
What It Specifies
Trigger Thresholds
High water mark 95%; Low water mark 85%
Specifies a high and low water mark that is a percentage of the quota of flows before flow eviction starts (high water mark) and ends (low water mark).
Strategies
None
Specifies which traffic flows to drop as much as possible:
  • Oldest
    : Drops the oldest existing flows.
  • Idle
    : Drops the flows that have been the least busy the longest.
  • Busiest
    : Drops the flows that have been busiest the longest.
Slow Flow Detection
  • Not enabled
  • Max Slow Flows: 100
  • Slow Threshold: 32
Enables the features and specifies what constitutes slow flows:
  • Max Slow Flows
    : Specifies the maximum percentage of slow flows allowed on the system.
  • Slow Threshold
    : Specifies the rate (bytes/sec) below which a flow is considered slow.

Ports & VLANS

Setting
Default Value
What It Specifies
UDP Port Inclusion/Exclusion List
Exclude
Specifies UDP ports to analyze for DDoS attacks (
Include
) or exclude from analysis (
Exclude
) for all protected objects. One at a time, type the port number, select source and/or destination, and click
Add
.
DNS Port
53
Specifies which port to use for DNS traffic, if the default of 53 is not correct.
DNS VLAN
0
Specifies which VLAN should receive external DNS responses. The default is 0, all VLANs.
SIP Port
5060
Specifies which port to use for SIP traffic, if the default of 5060 is not correct.

Allowed Protocols & Options

Setting
Default Value
What It Specifies
Allowed non-Standard IP Protocols
Protocol 1 & 2: 255
Specifies the protocol number of one or two IP protocols that the Unknown IP Protocol DoS vector should treat as known (that is, ignored). Note: Though valid values are 0-255, IP protocols 0-142 are already known by the vector so specifying an IP protocol number in that range has no effect on the behavior of the vector.
Allowed non-Standard ICMPv6 Types
Type 1 & 2: 158
Specifies one or two additional ICMPv6 message types for the Unknown ICMPv6 Message Type vector to treat as known (that is, ignored). The allowed values are 0-254. However, ICMPv6 message types 0-132, 134, and 135 are already ignored by the vector so specifying one of those message types has no effect on the behavior of the vector.
Allowed non-Standard TCP Options
Type 1 & 2: 0
Specifies one or two TCP option types for the Unknown TCP Option Type vector to treat as known (that is, ignored). Though valid values are 0-255, option types 0-5, 8, 19-21, 30, 34, 128, and 254 are allowed and have no effect on the behavior of the vector.

Thresholds

Setting
Default Value
What It Specifies
IPv6 Single Endpoint Prefix Length
128
Specifies whether a single endpoint in IPv6 is /64 or /128 (or some other prefix).
IPv4 Low TTL
1
Defines the minimum acceptable value for TTL (time to live) in the IPv4 header.
IPv6 Low Hop Count
1
Specifies the minimum acceptable value for IPv6 Hop Count.
Too Large DNS Packet
4096
Specifies the size at which a DNS packet is considered oversized.
Too Large ICMPv4 Packet
1480
Specifies the size at which an ICMPv4 packet is considered oversized.
Too Large ICMPv6 Packet
1460
Specifies the size at which an ICMPv6 packet is considered oversized.
Too Large IPv6 Extension Header
128
Specifies the size at which an IPv6 Extension Header is considered oversized.
Too Many IPv6 Extension Headers
4
Specifies the number of IPv6 Extension Headers that are considered too many.
Too Long SIP URI
1024
Specifies the length at which a SIP URI is considered too long.
Too Small TCP Window Size
0
Specifies the window size that is considered too small.
Too Large TCP SYN Packet
64
Specifies the size at which a TCP SYN packet is considered oversized.