Intrusion Detection. Billion Electric QI3BIL-7401VGPR4

Intrusion Detection

The router’s Intrusion Detection System (IDS) is used to detect hacker attacks and intrusion attempts from the Internet. If the IDS function of the firewall is enabled, inbound packets are filtered and blocked depending on whether they are detected as possible hacker attacks, intrusion attempts or other connections that the router determines to be suspicious.

Blacklist: If the router detects a possible attack, the source IP or destination IP address will be added to the Blacklist. Any further attempts using this IP address will be blocked for the time period specified as the Block Duration. The default setting for this function is false (disabled). Some attack types are denied immediately without using the Blacklist function, such as Land attack and Echo/

CharGen scan.

Intrusion Detection : If enabled, IDS will block Smurf attack attempts. Default is false.

Block Duration:

L Victim Protection Block Duration : This is the duration for blocking Smurf attacks. Default value is 600 seconds.

L Scan Attack Block Duration : This is the duration for blocking hosts that attempt a possible

Scan attack. Scan attack types include X’mas scan, IMAP SYN/FIN scan and similar attempts.

Default value is 86400 seconds.

L DoS Attack Block Duration : This is the duration for blocking hosts that attempt a possible

Denial of Service (DoS) attack. Possible DoS attacks this attempts to block include Ascend Kill and

WinNuke . Default value is 1800 seconds.

Max TCP Open Handshaking Count : This is a threshold value to decide whether a SYN Flood attempt is occurring or not. Default value is 100 TCP SYN per seconds.

Max PING Count : This is a threshold value to decide whether an ICMP Echo Storm is occurring or not. Default value is 15 ICMP Echo Requests (PING) per second.

Max ICMP Count : This is a threshold to decide whether an ICMP flood is occurring or not. Default value is 100 ICMP packets per seconds except ICMP Echo Requests (PING).

For SYN Flood, ICMP Echo Storm and ICMP flood, IDS will just warn the user in the Event Log. It

74

cannot protect against such attacks.

Intrusion Name Detect Parameter Blacklist

Type of Block

Duration

Ascend Kill Ascend Kill data Src IP DoS

WinNuke

Smurf

TCP Port

135,

137~139, Flag:

URG

ICMP type 8

Des IP is broadcast

SrcIP = DstIP

Src IP

Dst IP

DoS

Victim

Protection

Land attack

Echo/CharGen

Scan

Echo Scan

CharGen Scan

Table 2: Hacker attack types recognized by the IDS

UDP Echo Port and CharGen Port

UDP Dst Port =

Echo(7)

UDP Dst Port =

CharGen(19)

Src IP

Src IP

Scan

Scan

Drop

Packet

Yes

Yes

Yes

Yes

Yes

Yes

Yes

X’mas Tree Scan TCP Flag: X’mas Src IP

IMAP

SYN/FIN Scan

TCP Flag: SYN/

FIN DstPort:

IMAP(143)

SrcPort: 0 or

65535

Src IP

Scan

Scan

Yes

Yes

SYN/FIN/RST/ACK

Scan

Net Bus Scan

Back Orifice Scan

SYN Flood

ICMP Flood

TCP,

No Existing session And Scan

Hosts more than five.

TCP

No Existing session

DstPort = Net Bus

12345,12346,

3456

UDP, DstPort

= Orifice Port

(31337)

Max TCP Open

Handshaking

Count (Default

100 c/sec)

Max ICMP Count

(Default 100 c/ sec)

Src IP

SrcIP

SrcIP

75

Scan

Scan

Scan

Yes

Yes

Yes

Show Log

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

ICMP Echo

Max PING Count

(Default 15 c/sec)

Src IP : Source IP

Src Port : Source Port

Dst Port : Destination Port

Dst IP : Destination IP

Yes

76