What does enable DoS protection in Synology DSM 5 do?
Not an answer yet, but some input:
iptables-save
output on "DSM 5.2-5644 Update 5":
With DoS protection off:
# Generated by iptables-save v1.4.21 on Sat Feb 20 23:23:24 2016
*filter
:INPUT ACCEPT [6161:1075680]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5604:2995833]
:DEFAULT_INPUT - [0:0]
-A INPUT -j DEFAULT_INPUT
-A DEFAULT_INPUT -p tcp -m tcp --sport 53 -m length --length 2048:65535 -j DROP
-A DEFAULT_INPUT -p udp -m udp --sport 53 -m length --length 2048:65535 -j DROP
COMMIT
# Completed on Sat Feb 20 23:23:24 2016
With DoS protection on:
# Generated by iptables-save v1.4.21 on Sat Feb 20 23:24:27 2016
*filter
:INPUT ACCEPT [10:1306]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6:2003]
:DEFAULT_INPUT - [0:0]
:DOS_PROTECT - [0:0]
-A INPUT -j DOS_PROTECT
-A INPUT -j DEFAULT_INPUT
-A DEFAULT_INPUT -p tcp -m tcp --sport 53 -m length --length 2048:65535 -j DROP
-A DEFAULT_INPUT -p udp -m udp --sport 53 -m length --length 2048:65535 -j DROP
-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 10000/sec --limit-burst 100 -j RETURN
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
COMMIT
# Completed on Sat Feb 20 23:24:27 2016
No relevant changes between the respective outputs of sysctl -a
(only runtime values change, like inode number)
In all cases, tc -p class show dev eth0
and tc -p qdisc show dev eth0
show default settings.
> tc -p class show dev eth0
class mq :1 root
class mq :2 root
class mq :3 root
class mq :4 root
class mq :5 root
class mq :6 root
class mq :7 root
class mq :8 root
> tc -p qdisc show dev eth0
qdisc mq 0: root
Related videos on Youtube
tomsv
M.Sc. Engineering Physics available for software development projects in Kotlin, Java, Android, C++, C#, ASP.NET, Python, PHP, ... Contact email: info (at) tomas-svensson.de
Updated on September 18, 2022Comments
-
tomsv almost 2 years
If I open
Control Panel
>Security
>Protection
, checkEnable DoS Protection
and clickApply
, what kind of traffic gets blocked?The text reads "Denial-of-Service (DoS) protection helps to prevent malicious attacks over the internet."
I cannot find more detailed information about this.
What more precisely does this DoS protection do except helping to "prevent malicious attacks"? How does it know which are malicious attacks and which are valid requests?
I need some better definition of what gets blocked, so I do not happen to block valid traffic by mistake if I enable this.
And in this particular case, I need to support an application that unfortunately needs to make about 150 connections simultaneously or in quick succession...
-
Admin almost 10 yearsI've found this post on Facebook which shows some additional firewall rules added when the DoS protection is active, it looks like it limits the number of packets per second.
-
EEAA almost 10 yearsTo be clear, on a software firewall level, there is precious little one can do to prevent true DoS attacks. Those need to be stopped upstream before the packets hit the targeted system. This DSM functionality is likely something more like brute-force attack prevention plus some rudimentary firewall rules that can help mitigate SYN flood attacks, etc.
-