8

If I open Control Panel > Security > Protection, check Enable DoS Protection and click Apply, what kind of traffic gets blocked?

The text reads "Denial-of-Service (DoS) protection helps to prevent malicious attacks over the internet."

I cannot find more detailed information about this.

What more precisely does this DoS protection do except helping to "prevent malicious attacks"? How does it know which are malicious attacks and which are valid requests?

I need some better definition of what gets blocked, so I do not happen to block valid traffic by mistake if I enable this.

And in this particular case, I need to support an application that unfortunately needs to make about 150 connections simultaneously or in quick succession...

Pascal Berger
  • 103
  • 2
tomsv
  • 273
  • 3
  • 8
  • I've found [this post](https://www.facebook.com/synology/posts/10151261652117897) on Facebook which shows some additional firewall rules added when the DoS protection is active, it looks like it limits the number of packets per second. –  Jul 23 '14 at 15:48
  • 2
    To be clear, on a software firewall level, there is precious little one can do to prevent true DoS attacks. Those need to be stopped upstream **before** the packets hit the targeted system. This DSM functionality is likely something more like brute-force attack prevention plus some rudimentary firewall rules that can help mitigate SYN flood attacks, etc. – EEAA Jul 23 '14 at 16:02

2 Answers2

1

Not an answer yet, but some input:

iptables-save output on "DSM 5.2-5644 Update 5":

With DoS protection off:

# Generated by iptables-save v1.4.21 on Sat Feb 20 23:23:24 2016
*filter
:INPUT ACCEPT [6161:1075680]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5604:2995833]
:DEFAULT_INPUT - [0:0]
-A INPUT -j DEFAULT_INPUT
-A DEFAULT_INPUT -p tcp -m tcp --sport 53 -m length --length 2048:65535 -j DROP
-A DEFAULT_INPUT -p udp -m udp --sport 53 -m length --length 2048:65535 -j DROP
COMMIT
# Completed on Sat Feb 20 23:23:24 2016

With DoS protection on:

# Generated by iptables-save v1.4.21 on Sat Feb 20 23:24:27 2016
*filter
:INPUT ACCEPT [10:1306]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6:2003]
:DEFAULT_INPUT - [0:0]
:DOS_PROTECT - [0:0]
-A INPUT -j DOS_PROTECT
-A INPUT -j DEFAULT_INPUT
-A DEFAULT_INPUT -p tcp -m tcp --sport 53 -m length --length 2048:65535 -j DROP
-A DEFAULT_INPUT -p udp -m udp --sport 53 -m length --length 2048:65535 -j DROP
-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 10000/sec --limit-burst 100 -j RETURN
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
COMMIT
# Completed on Sat Feb 20 23:24:27 2016

No relevant changes between the respective outputs of sysctl -a (only runtime values change, like inode number)

In all cases, tc -p class show dev eth0 and tc -p qdisc show dev eth0 show default settings.

> tc -p class show dev eth0
class mq :1 root 
class mq :2 root 
class mq :3 root 
class mq :4 root 
class mq :5 root 
class mq :6 root 
class mq :7 root 
class mq :8 root 
> tc -p qdisc show dev eth0
qdisc mq 0: root
David Tonhofer
  • 910
  • 1
  • 9
  • 29
0

Not answer because DoS mitigation seems to be only available in Synology DSM 5 and my NAS system can't be upgraded and this is too long to fit into a comment.

As @EEAA mentioned you can only do very little but you can tune the firewall, modify kernel settings and possibly do some traffic shaping.

Maybe somebody can do a before and after check and post the diff of what toggling the DoS protection actually does to system settings?

  • iptables-save - for changes in the software firewall
  • sysctl -a - for the kernel tunables
  • tc -p qdisc show dev eth0 & tc -p class show dev eth0 - for any traffic control settings
HBruijn
  • 72,524
  • 21
  • 127
  • 192