XII. Firewall/Security Features

Denial of Service (DoS) Defense Setup on DrayTek Vigor Routers

Products:
Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2765
Show all

Keywords:
Denial of Service
DoS
Port Scan
Smurf
Show all

DoS Defence is a firewall function designed to detect and mitigate denial-of-service attacks. The attacks are usually categorized into two types, the flooding-type attacks and the vulnerability attacks. The flooding-type attacks will attempt to exhaust all your system's resource while the vulnerability attacks will try to paralyze the system by exploiting the known vulnerabilities of a network protocol or operating system.

The DoS Defence function enables the Vigor router to inspect every incoming packet based on the attack signature database. Any malicious packet that could disable the host in the secure LAN will be strictly blocked and a Syslog message will be recorded for each occurrence.

The Vigor router will also monitor traffic for any abnormal traffic flow that violates the pre-defined threshold. Such traffic will be identified as an attack, activating the router's defensive mechanisms to mitigate in a real-time manner.

To setup DoS Defence:

  1. Go to [Firewall] > [Defence Setup] and click Enable DoS Defence
  2. Enable the defence settings to suit your application and network requirements.

See the sections below for a full explanation of what each setting does when enabled. Possible risks of enabling the various options are defined in the last section's table.

dosdefense

Flooding Attack Defence

Item

Description

Enable SYN flood defence

Once the Threshold of the TCP SYN packets from the Internet has exceeded the defined value, the Vigor router will start to randomly discard the subsequent TCP SYN packets for a period defined in Timeout. The goal for this is prevent the TCP SYN packets’ attempt to exhaust the resources of the router.

By default, the threshold and timeout values are set to 2000 packets per second and 10 seconds, respectively. That means, when 2000 packets per second received, they will be regarded as an “attack event” and the session will be paused for 10 seconds.

Enable UDP flood defence

Once the Threshold of the UDP packets from the Internet has exceeded the defined value, the Vigor router will drop the subsequent UDP packets, for a period defined in Timeout.

The default setting for threshold and timeout are 2000 packets per second and 10 seconds, respectively. That means, when 2000 packets per second received, they will be regarded as an “attack event” and the session will be paused for 10 seconds.

Enable ICMP flood defence

Once the Threshold of ICMP packets from Internet has exceeded the defined value, the router will discard the ICMP echo requests coming from the Internet.

The default setting for threshold and timeout are 250 packets per second and 10 seconds, respectively. That means, when 250 packets per second received, they will be regarded as “attack event” and the session will be paused for 10 seconds.

Enable Port Scan detection

Port Scan attacks involve sending lots of packets to many ports in an attempt to find services that respond. When detected, the Vigor router will monitor the port-scanning Threshold rate and send out a warning if malicious exploration behaviour is detected.

By default, the Vigor router sets the threshold as 2000 packets per second. That means, when 2000 packets per second received, they will be regarded as an “attack event”.

Vulnerability Attack Defence

Block IP options

The Vigor router will ignore any IP packets with IP option field in the datagram header. The reason for this limitation is IP option appears to be a vulnerability of the security for the LAN because it will carry significant information, such as security, TCC (closed user group) parameters, a series of Internet addresses, routing messages...etc. An eavesdropper outside might learn the details of your private networks.

Block Land

The Land attack combines the SYN attack technology with IP spoofing. A Land attack occurs when an attacker sends spoofed SYN packets with the identical source and destination addresses, as well as the port number to victims.

Block Smurf

The Vigor router will ignore any broadcasting ICMP echo request.

Block Trace Route

The Vigor router will not forward any trace route packets.

Block SYN fragment

The Vigor router will drop any packets with the SYN flag and more fragment bit set.

Block Fraggle Attack

Any broadcast UDP packets received from the Internet are blocked. Activating the DoS/DDoS defence functionality might block some legal packets. For example, when you activate the fraggle attack defence, all broadcast UDP packets coming from the Internet are blocked. Therefore, the RIP packets from the Internet might be dropped.

Block TCP flag scan

Any TCP packet with the anomaly flag setting is dropped. Those scanning activities include no flag scan, FIN without ACK scan, SYN FINscan, Xmas scan and full Xmas scan.

Block Tear Drop

Many machines may crash when receiving ICMP datagrams (packets) that exceed the maximum length. To avoid this type of attack, the Vigor router is designed to be capable of discarding any fragmented ICMP packets with a length greater than 1024 octets.

Block Ping of Death

Ping of Death attack involves the perpetrator sending overlapping packets to the target hosts so that those target hosts will hang once they re-construct the packets. The Vigor routers will block any packets realising this attacking activity.

Block ICMP fragment

Any ICMP packets with more fragment bit set are dropped.

Block Unassigned Numbers

Individual IP packet has a protocol field in the datagram header to indicate the protocol type running over the upper layer. However, the protocol types greater than 100 are reserved and undefined at this time. Therefore, the router should have ability to detect and reject this kind of packets.

Possible Risks of Enabling Defences

UDP Flood Defence

The UDP Flood Defence function will drop UDP packets when receiving lots of UDP packets from the same source port in a short period of time. The default UDP flood threshold is 2000 packets in 10 seconds.

As a result, UDP Flood Defence can be triggered by various services that use the UDP protocol. This can include online gaming sessions, simultaneous VoIP calls, or even internet services such as Google’s QUIC (Quick UDP Internet Connections) protocol which uses UDP for streaming and browsing.

In addition, UDP Flood Defence may prevent IPsec VPN clients from running a speed test or transferring files, this includes IKEv2 and L2TP over IPsec.
When the VPN client is behind NAT, the IPsec VPN will use NAT-Traversal to pass through NAT. That means the VPN client will send packets to the remote VPN network using UDP port 4500. While running a speed test over the IPsec VPN tunnel, the LAN client sends many UDP packets, and these packets will be regarded as the UDP Flood traffic by the NAT Router with DoS Defence enabled.

You can disable the UDP Flood Defence function to resolve these issues. Alternatively increase the threshold of the UDP Flood Defence to account for your network's maximum expected UDP packets, which is difficult to predict or calculate because different applications and usage can cause UDP packet counts to vary significantly,