What does enable DoS protection in Synology DSM 5 do?

denial-of-service synology dsm

8,532

Not an answer yet, but some input:

iptables-save output on "DSM 5.2-5644 Update 5":

With DoS protection off:

# Generated by iptables-save v1.4.21 on Sat Feb 20 23:23:24 2016
*filter
:INPUT ACCEPT [6161:1075680]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5604:2995833]
:DEFAULT_INPUT - [0:0]
-A INPUT -j DEFAULT_INPUT
-A DEFAULT_INPUT -p tcp -m tcp --sport 53 -m length --length 2048:65535 -j DROP
-A DEFAULT_INPUT -p udp -m udp --sport 53 -m length --length 2048:65535 -j DROP
COMMIT
# Completed on Sat Feb 20 23:23:24 2016

With DoS protection on:

# Generated by iptables-save v1.4.21 on Sat Feb 20 23:24:27 2016
*filter
:INPUT ACCEPT [10:1306]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6:2003]
:DEFAULT_INPUT - [0:0]
:DOS_PROTECT - [0:0]
-A INPUT -j DOS_PROTECT
-A INPUT -j DEFAULT_INPUT
-A DEFAULT_INPUT -p tcp -m tcp --sport 53 -m length --length 2048:65535 -j DROP
-A DEFAULT_INPUT -p udp -m udp --sport 53 -m length --length 2048:65535 -j DROP
-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 10000/sec --limit-burst 100 -j RETURN
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
COMMIT
# Completed on Sat Feb 20 23:24:27 2016

No relevant changes between the respective outputs of sysctl -a (only runtime values change, like inode number)

In all cases, tc -p class show dev eth0 and tc -p qdisc show dev eth0 show default settings.

> tc -p class show dev eth0
class mq :1 root 
class mq :2 root 
class mq :3 root 
class mq :4 root 
class mq :5 root 
class mq :6 root 
class mq :7 root 
class mq :8 root 
> tc -p qdisc show dev eth0
qdisc mq 0: root

8,532

tomsv

M.Sc. Engineering Physics available for software development projects in Kotlin, Java, Android, C++, C#, ASP.NET, Python, PHP, ... Contact email: info (at) tomas-svensson.de

Updated on September 18, 2022

Comments

tomsv almost 2 years

If I open Control Panel > Security > Protection, check Enable DoS Protection and click Apply, what kind of traffic gets blocked?

The text reads "Denial-of-Service (DoS) protection helps to prevent malicious attacks over the internet."

I cannot find more detailed information about this.

What more precisely does this DoS protection do except helping to "prevent malicious attacks"? How does it know which are malicious attacks and which are valid requests?

I need some better definition of what gets blocked, so I do not happen to block valid traffic by mistake if I enable this.

And in this particular case, I need to support an application that unfortunately needs to make about 150 connections simultaneously or in quick succession...
- Admin almost 10 years
  
  I've found this post on Facebook which shows some additional firewall rules added when the DoS protection is active, it looks like it limits the number of packets per second.
- EEAA almost 10 years
  
  To be clear, on a software firewall level, there is precious little one can do to prevent true DoS attacks. Those need to be stopped upstream before the packets hit the targeted system. This DSM functionality is likely something more like brute-force attack prevention plus some rudimentary firewall rules that can help mitigate SYN flood attacks, etc.