18

I recently found a DoS Defense setting in my DrayTek Vigor 2830 router, which is disabled as default. I'm running a very small server on this network and I take it very serious to have the server up and running 24/7.

I'm a bit unsure if the DoS Defense could cause me any kind of problems. I haven't experienced any DoS attacks yet, but I would like to avoid possible attacks. Is there any reason not to enable the DoS Defense setting?

ThomasCle
  • 305
  • 1
  • 4
  • 10
  • 3
    Rather than ask **us** if you should/should not enable this "DoS Defense" feature, why not ask your router vendor *what it actually does* when you check the box, then decide if those rules make sense in your environment? – voretaq7 Dec 20 '12 at 21:23
  • (After digging up the manual from their website I can say the list of things it checks for and deals with is a relatively sane one -- Unlikely to break anything legit, so no real harm in turning it on. Just don't expect it to protect you from everything - [there are some attacks it can't mitigate](http://serverfault.com/a/459752/32986)) – voretaq7 Dec 20 '12 at 21:31
  • As this is mostly a risk analysis question, you might consider asking to migrate this to [security.se]. – AviD Dec 21 '12 at 08:39

5 Answers5

22

It means the router has to maintain additional state and do additional work on each packet. And how can it really help in the case of a DoS? All it can do is drop a packet that you have already received. Since you've already received it, it has already done the damage by consuming your inbound Internet bandwidth.

David Schwartz
  • 31,215
  • 2
  • 53
  • 82
  • I'm pretty sure this is to keep the service running, not to stop the bandwidth drain. I really can't agree with this answer at all. – SpacemanSpiff Dec 20 '12 at 18:37
  • 3
    @SpacemanSpiff: Two reasons this is not true: 1) A typical ADSL link can't carry enough traffic to take out a service anyway. Typical DoS attacks over such links work by consuming your bandwidth. 2) The device can't reliably tell attack traffic from legitimate traffic. So stopping the DoS attack is just a DoS attack on yourself since you're dropping the legitimate traffic too. (At most, this will preserve your outbound bandwidth for other services because you're not replying to the attack traffic. But with no useful inbound, protecting your outbound usually doesn't help much.) – David Schwartz Dec 20 '12 at 18:41
  • 1
    Pretty much... Generally, if you get dossed on any line a dreytek would be holding up, you're going down. – Sirex Dec 20 '12 at 19:21
  • 1
    What you've told him to do is turn off the following, just so you know: SYN flooding, UDP flooding, ICMP flooding, Port Scan Detections, IP Spoofing, Tear Drop Attacks. Just because this vendor leaves it off by default, doesn't mean everyone does. Juniper NetScreen and SRX Branch routers come out this enabled, as does the ASA5505. – SpacemanSpiff Dec 20 '12 at 21:10
  • @SpacemanSpiff: I'm not giving him advice on everything, just what to do with this device in this application. Sure, branch and core routers try to protect narrower downstream links. But he doesn't have any narrower downstream links. – David Schwartz Dec 20 '12 at 21:12
  • 1
    Yes, but you've turned all basic edge defense, now even an idiot with a Linux ping command can take him down. – SpacemanSpiff Dec 20 '12 at 21:15
  • 3
    @SpacemanSpiff: If they can overwhelm his bandwidth, they can take him down even with it on. He's dropping the traffic *after* it has consumed his bandwidth. Having a defended edge inside the slowest link does you little to no good. Most likely, his weakest link is the router CPU and his inbound bandwidth. – David Schwartz Dec 20 '12 at 21:20
  • Wouldn't that mean... If I got DOSed while having the DOS protection, and if I find out who's DOSing me, I can DOS back at it with my unused outbound? – TeaCrab Aug 31 '17 at 19:47
  • @TeaCrab No. That's not how any of this works at all. It's not like a gunfight. – David Schwartz Sep 02 '17 at 22:57
5

One reason to not enable the DoS Defense setting is that trying to protect systems from DOSed will spike the CPU of the router/firewall causing a DoS itself.

becomingwisest
  • 3,278
  • 19
  • 17
5

An old thread I know, but I've just had to turn off the DoS defences on my Draytek 2850 home router to prevent some connection problems (almost everyone's in-bound bandwidth dropped to 0). Oddly enough, when all the kids are using their iPhones, PCs and chatting on Skype, etc. it triggers the DoS defences!

My guess is that there's so much traffic going in both directions that the router thinks it's under attack from the outside and shuts down. Turning off the UDP flood defence didn't do a complete fix so I turned off the SYN and ICMP defences too. (If you had to turn off both SYN and ICMP flood protection then I think the router was doing a very good job unless you are running a server or servers on your network) - SYN and ICMP requests are sent to servers during connection initiation, then the client devices receive a SYN-ACK back from the server.

Hey presto - no more connection issues. Of course, I'll turn the defences back on and better-tune the values (measured in packets/second), but I've been trying to nail this problem for ages and it was quite a shock to find out the real cause.

I hope this helps someone else.

Community
  • 1
Richard
  • 151
  • 1
  • 1
  • I can confirm the same on an ASUS Wireless Router RT-N10. Enabling DoS protection will degrade the wireless connection. –  Nov 08 '14 at 01:22
  • 1
    We had a very similar problem on a 2930 shortly after we started allowing mobile devices on the network. I upped the threshold rates for SYN, UDP and ICMP defense significantly and it stopped the problem. –  Mar 09 '15 at 18:52
3

Yes, absolutely, turn it on.

If this is implemented correctly your firewall's engine should inspect each packet. Once it's determined to drop this traffic as part of a DoS attack, it should install a rule into hardware and silently drop the traffic instead of processing it again and again. Where it will still fall on it's face is a distributed attack, but I suggest you turn this on.

What kinds of services is that server hosting?

SpacemanSpiff
  • 8,733
  • 1
  • 23
  • 35
  • It is running a lot of different stuff: IIS, MSSQL Databases, MySQL databases, Apache, Minecraft and all kinds of random stuff I'd need a server for :) – ThomasCle Dec 20 '12 at 18:49
  • 3
    If the traffic was hurting your link, it'll still be hurting your link. If it wasn't, you're now likely to be dropping at least some legitimate traffic, making the DoS attack worse. On a SoHo router, this is bad advice. It's off by default for a reason. – David Schwartz Dec 20 '12 at 19:26
  • I'm pretty sure screens and DoS rules do not drop OTHER types of traffic. – SpacemanSpiff Dec 20 '12 at 21:02
  • 1
    The whole point of a DoS is to make the DoS traffic indistinguishable from legitimate traffic so the victim has to choose between dropping legitimate traffic and responding to the DoS traffic. For example, if you're serving HTTP on port 80, one typical DoS attack you'll see is a multi-source SYN flood on port 80. How can you tell the flood SYNs from legitimate client SYNs? – David Schwartz Dec 20 '12 at 21:13
  • 2
    "If implemented correctly" isn't assured; especially on consumer grade hardware. The Netgear router I was using at home several years ago had a major bug in it's DOS filter. It was possible to send a single packet with malformed data that would cause DOS filter to crash and take the router down with it. – Dan Is Fiddling By Firelight Dec 20 '12 at 21:20
  • 1
    No it's not, he can always turn it off or adjust thresholds. I've seen bottom-end devices defend networks with just this basic stuff while misconfigured enterprise class firewalls fall on their face. – SpacemanSpiff Dec 20 '12 at 21:33
-2

If the DoS attack doesn't kill your pc first, the heat generated from DoS protection will kill your router. If your that concerned about security then don't use the internet.

It is better to protect every individual device on your network with a properly set firewall and av, when not using the net turn off your wifi use it like you would your tap water.

DERP
  • 1