Applies To:

Show Versions Show Versions

Manual Chapter: Adjusting Global Settings
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Adjusting global settings

DDoS Hybrid Defender™ uses reasonable default settings for the global system settings. Some environments may require adjustments to port numbers, allowed protocols, or thresholds that signal an attack. For example, you may use a different DNS or SIP port number from the one that is configured. In that case, you can change it.

Many of the thresholds indicate the value at which a packet, header, URI, or other setting is considered too large, too small, or not typical. This does not necessarily indicate an attack. It means that the value is unusual enough that you should take a look at what's happening on the system. You may want to change the global settings because the traffic should be allowed and should not cause alarm.

However, note that adjusting these settings should be needed only in rare cases. The changes should be made only by an administrator familiar with the applications, servers, or other network objects that DDoS Hybrid Defender is protecting.

Adjusting global settings

You can adjust global settings on DDoS Hybrid Defender™ if the default values are not right for your environment.
  1. On the Main tab, click DoS Protection > Quick Configuration .
  2. On the menu bar, click Global Settings.
  3. Review the global settings to see if they are appropriate for your system.
    A reference table or the help describes the settings.
  4. Adjust the value of the setting you want to change.
  5. Click Commit Changes to System to save the changes.
The global settings are applied at the system level.

Global Settings

You need to adjust the global settings only if something is not working correctly. For example, if your systems use a DNS port other than 33.

Flow Eviction Policy

Setting Default Value What It Specifies
Trigger Thresholds High water mark 95%; Low water mark 85% Specifies a high and low water mark that is a percentage of the quota of flows before flow eviction starts (high water mark) and ends (low water mark).
Strategies None Specifies which traffic flows to drop as much as possible:
  • Oldest: Drops the oldest existing flows.
  • Idle: Drops the flows that have been the least busy the longest.
  • Busiest: Drops the flows that have been busiest the longest.
Slow Flow Detection
  • Not enabled
  • Max Slow Flows: 100
  • Slow Threshold: 32
Enables the features and specifies what constitutes slow flows:
  • Max Slow Flows: Specifies the maximum percentage of slow flows allowed on the system.
  • Slow Threshold: Specifies the rate (bytes/sec) below which a flow is considered slow.

Ports & VLANS

Setting Default Value What It Specifies
UDP Port Inclusion/Exclusion List Exclude Specifies UDP ports to analyze for DDoS attacks (Include) or exclude from analysis (Exclude) for all protected objects. One at a time, type the port number, select source and/or destination, and click Add.
DNS Port 53 Specifies which port to use for DNS traffic, if the default of 53 is not correct.
DNS VLAN 0 Specifies which VLAN should receive external DNS responses. The default is 0, all VLANs.
SIP Port 5060 Specifies which port to use for SIP traffic, if the default of 5060 is not correct.

Allowed Protocols & Options

Setting Default Value What It Specifies
Allowed non-Standard IP Protocols Protocol 1 & 2: 255 Specifies the protocol number (0-255) of one or two IP protocols to allow in addition to the standard ones (TCP and UDP).
Allowed non-Standard ICMPv6 Types Type 1 & 2: 158 Specifies one or two ICMPv6 types (0-255) to allow.
Allowed non-Standard TCP Types Type 1 & 2: 0 Specifies one or two TCP types (0-255) to allow.

Thresholds

Setting Default Value What It Specifies
SYN Cookie Activation Threshold 2048 Specifies the number of SYN requests the system can receive until the SYN Cookie protection mechanism kicks in (protecting against SYN flood attacks).
IPv6 Single Endpoint Prefix Length 128 Specifies whether a single endpoint in IPv6 is /64 or /128 (or some other prefix).
IPv4 Low TTL 1 Defines the minimum acceptable value for TTL (time to live) in the IPv4 header.
IPv6 Low Hop Count 1 Specifies the minimum acceptable value for IPv6 Hop Count.
Too Large DNS Packet 4096 Specifies the size at which a DNS packet is considered oversized.
Too Large ICMPv4 Packet 1480 Specifies the size at which an ICMPv4 packet is considered oversized.
Too Large ICMPv6 Packet 1460 Specifies the size at which an ICMPv6 packet is considered oversized.
Too Large IPv6 Extension Header 128 Specifies the size at which an IPv6 Extension Header is considered oversized.
Too Many IPv6 Extension Headers 4 Specifies the number of IPv6 Extension Headers that are considered too many.
Too Long SIP URI 1024 Specifies the length at which a SIP URI is considered too long.
Too Small TCP Window Size 0 Specifies the window size that is considered too small.
Too Large TCP SYN Packet 64 Specifies the size at which a TCP SYN packet is considered oversized.

Blacklist Publisher

Setting Default Value What It Specifies
Advertisement Next-Hop none Specifies the next hop address of the BGP router to which you want to advertise blacklisted addresses.

Sending the blacklist to a next-hop router

DDoS Hybrid Defender™ detects bad actors, adding their IP addresses to a blacklist temporarily. You can specify an edge router to which to advertise the blacklist, so it can stop the traffic causing a DoS attack.
  1. On the Main tab, click DoS Protection > Quick Configuration .
  2. On the menu bar, click Global Settings.
  3. In the Blacklist Publisher area, in the Advertisement Next-Hop field, type the IP address of a next-hop router to which to send the blacklist.
  4. Click Commit Changes to System to save the changes.
The router you configured will drop traffic from IP addresses on the blacklist until the blacklist entry is automatically removed.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)