Most of us will be familiar with Peplink’s intrusion detection feature, but when is the router actually triggered to block certain traffic?
As shown in the information visible when selecting the HELP icon, when Intrusion detection is enabled the Peplink blocks abnormal packets, such as TCP packets with all flags enabled (Malformed XMAS packet). It block suspicious traffic, such as large volumes of new TCP SYN packets (SYN Flood). These new TCP SYN packets generated by the suspicious IP address will be blocked until the “SYN Flood” has stopped.
But what traffic is blocked exactly? The actual triggers are the following:
- Rapidly generated TCP sessions with SYNC flag set only.
- Rapidly generated ICMP sessions.
- A TCP packet without any flag set.
- A TCP packet with flag FIN, URG and PSH only.
- A TCP packet with flag SYN, ACK, FIN, RST, URG and PSH.
- A TCP packet with flag SYN, ACK, FIN, RST and URG only.
- A TCP packet with flag SYN and RST is set.
- A TCP packet with flag SYN and FIN is set.