Established TCP Flow Timeout (seconds)

Sets the inactivity timeout period (in seconds) for established TCP flows, after which they are no longer valid. The allowable value ranges from 60 seconds through 15999999 seconds. The default value is 7440 seconds.

Non-Established TCP Flow Timeout (seconds)

Sets the inactivity timeout period (in seconds) for non-established TCP flows, after which they are no longer valid. The allowable value ranges from 60 seconds through 604800 seconds. The default value is 240 seconds.

UDP Flow Timeout (seconds)

Sets the inactivity timeout period (in seconds) for UDP flows, after which they are no longer valid. The allowable value ranges from 60 seconds through 15999999 seconds. The default value is 300 seconds.

Other Flow Timeout (seconds)

Sets the inactivity timeout period (in seconds) for other flows such as ICMP, after which they are no longer valid. The allowable value ranges from 60 seconds through 15999999 seconds. The default value is 60 seconds.

Denial-of-Service (DoS) attack

A denial-of-service (DoS) attack is a type of network security attack that floods the device being attacked with so much fake traffic that it can’t handle any real traffic. It could be a firewall, the network resources that the firewall controls access to, or the hardware base or operating system of a single host. The DoS attack tries to use up all of the target device’s resources so that authorized users can’t use it.

In a denial-of-service attack, you can either flood services or crash them. The server experiences a slowdown or complete shutdown due to an overwhelming amount of traffic, which is known as a flood attack. Some denial-of-service attacks just aim to bring down the targeted system or service by taking advantage of security flaws. Attacks like these work by sending input that exploits vulnerabilities in the target system, which causes it to crash or become very unstable.

Invalid TCP Flags

When a TCP packet has a bad or invalid flag combo, this is called an invalid TCP flags attack. Invalid TCP flag combos will cause a vulnerable target device to crash, so it is best to filter them out. Not valid TCP flags protect against:

·       A packet that doesn’t have any SYN, FIN, ACK, or other flags set in its TCP header,

·       TCP header including both the SYN and FIN flags, which are actually mutually exclusive flags

TCP Land

Another type of DoS attack is called a Land attack. It uses a TCP SYN packet with the same source IP address and port as the destination IP address and port, which is set to point to an open port on a target device. If a vulnerable target device got this kind of message, it would respond to the destination address, sending the packet back to be processed over and over again. So, the device’s CPU is used up forever, which makes the target device crash or freeze.

TCP SYN Fragment

To begin a Transmission Control Protocol (TCP) connection and trigger a SYN/ACK segment in response, the Internet Protocol (IP) encapsulates a Transmission Control Protocol (TCP) SYN segment within the IP packet before sending it. On account of the fact that the IP packet is quite little, there is no valid reason for it to be fragmented. It is suspicious that a fragmented SYN packet is there because it is an anomaly. To carry out a TCP SYN fragment attack, a target server or host is bombarded with a large number of fragments of TCP SYN packets. It is the host that is responsible for capturing the fragments and then waiting for the remaining packets to arrive so that it may reassemble them. It is possible to cause harm to the operating system of a target host by flooding a server or host with connections that cannot be completed. This causes the memory buffer of the host to overflow, which in turn prevents any further requests for valid connections from being accepted.

ICMP Ping of Death

In an ICMP (Internet Control Message Protocol) Ping of Death attack, the attacker sends a target device repeated pings that are not valid or are malicious. Ping packets are usually small and are used to see if network hosts can be reached. However, attackers could make them bigger than the maximum size of 65535 bytes.

The maximum size limit is exceeded when a maliciously big packet is delivered from the malicious host, fragmented in transit and attempted to be assembled by the target device into a complete packet from the IP fragments. Because they are unable to handle such large packets, this could overflow the memory buffers that were previously set aside for the packet, resulting in a system crash, freeze, or reboot.

ICMP Fragment

The goal of an ICMP Fragmentation attack, a typical denial-of-service (DoS) attack, is to overwhelm the target server with fake ICMP fragments that it cannot defragment. Since defragmentation can only happen once all fragments have been received, temporarily storing these fake fragments uses memory, which could cause the susceptible target server to run out of memory and become unavailable.

IP Unknown Protocol

IP packets with a protocol ID number of 143 or above are blocked when IP Unknown Protocol protection is enabled because they may cause a crash on the end device if not handled correctly. It would be prudent to prevent such IP packets from getting into the network that is being secured.

IP Options

Attackers sometimes set up the IP option fields inside an IP packet wrong, creating fields that are either missing information or not properly made. Attackers use these badly formatted packets to get into hosts on the network that are weak. If the flaw is used, it might be possible for any code to be run. After handling a packet that has a specially made IP option in its IP header, the vulnerability can be used. If you turn on IP Insecure Options protection, it stops transit IP packets that have an IP option field in the IP packet header that is written wrong.

IPv6 Unknown Protocol

IPv6 packets with the protocol field containing a protocol ID number of 143 or above are blocked when IPv6 Unknown Protocol protection is enabled because they may cause a crash on the end device if not handled correctly. Preventing such IPv6 packets from entering the secured network would be a prudent course of action.

IPv6 Extension Header

A denial-of-service (DoS) attack known as an IPv6 extension header attack happens when an IPv6 packet’s extension headers are handled incorrectly. New attack vectors, such as those for routing header 0 assaults and covert channel creation, are created when IPv6 extension headers are mishandled, and they can lead to denial of service (DoS). If you choose this option, IPv6 packets containing any extension header (excluding fragmentation headers) will be dropped.