XII. Firewall/Security Features
ExpiredDenial of Service (DoS) Defense Setup on DrayTek Vigor Routers
Click here to return to your search results
DoS Defence is a firewall function designed to detect and mitigate denial-of-service attacks. The attacks are usually categorized into two types, the flooding-type attacks and the vulnerability attacks. The flooding-type attacks will attempt to exhaust all your system's resource while the vulnerability attacks will try to paralyze the system by exploiting the known vulnerabilities of a network protocol or operating system.
The DoS Defence function enables the Vigor router to inspect every incoming packet based on the attack signature database. Any malicious packet that could disable the host in the secure LAN will be strictly blocked and a Syslog message will be recorded for each occurrence.
The Vigor router will also monitor traffic for any abnormal traffic flow that violates the pre-defined threshold. Such traffic will be identified as an attack, activating the router's defensive mechanisms to mitigate in a real-time manner.
To setup DoS Defence:
- Go to [Firewall] > [Defence Setup] and click Enable DoS Defence
- Enable the defence settings to suit your application and network requirements.
See the sections below for a full explanation of what each setting does when enabled. Possible risks of enabling the various options are defined in the last section's table.
Flooding Attack Defence
Item |
Description |
Enable SYN flood defence |
Once the Threshold of the TCP SYN packets from the Internet has exceeded the defined value, the Vigor router will start to randomly discard the subsequent TCP SYN packets for a period defined in Timeout. The goal for this is prevent the TCP SYN packets’ attempt to exhaust the resources of the router. By default, the threshold and timeout values are set to 2000 packets per second and 10 seconds, respectively. That means, when 2000 packets per second received, they will be regarded as an “attack event” and the session will be paused for 10 seconds. |
Enable UDP flood defence |
Once the Threshold of the UDP packets from the Internet has exceeded the defined value, the Vigor router will drop the subsequent UDP packets, for a period defined in Timeout. The default setting for threshold and timeout are 2000 packets per second and 10 seconds, respectively. That means, when 2000 packets per second received, they will be regarded as an “attack event” and the session will be paused for 10 seconds. |
Enable ICMP flood defence |
Once the Threshold of ICMP packets from Internet has exceeded the defined value, the router will discard the ICMP echo requests coming from the Internet. The default setting for threshold and timeout are 250 packets per second and 10 seconds, respectively. That means, when 250 packets per second received, they will be regarded as “attack event” and the session will be paused for 10 seconds. |
Enable Port Scan detection |
Port Scan attacks involve sending lots of packets to many ports in an attempt to find services that respond. When detected, the Vigor router will monitor the port-scanning Threshold rate and send out a warning if malicious exploration behaviour is detected. By default, the Vigor router sets the threshold as 2000 packets per second. That means, when 2000 packets per second received, they will be regarded as an “attack event”. |
Vulnerability Attack Defence
Block IP options |
The Vigor router will ignore any IP packets with IP option field in the datagram header. The reason for this limitation is IP option appears to be a vulnerability of the security for the LAN because it will carry significant information, such as security, TCC (closed user group) parameters, a series of Internet addresses, routing messages...etc. An eavesdropper outside might learn the details of your private networks. |
Block Land |
The Land attack combines the SYN attack technology with IP spoofing. A Land attack occurs when an attacker sends spoofed SYN packets with the identical source and destination addresses, as well as the port number to victims. |
Block Smurf |
The Vigor router will ignore any broadcasting ICMP echo request. |
Block Trace Route |
The Vigor router will not forward any trace route packets. |
Block SYN fragment |
The Vigor router will drop any packets with the SYN flag and more fragment bit set. |
Block Fraggle Attack |
Any broadcast UDP packets received from the Internet are blocked. Activating the DoS/DDoS defence functionality might block some legal packets. For example, when you activate the fraggle attack defence, all broadcast UDP packets coming from the Internet are blocked. Therefore, the RIP packets from the Internet might be dropped. |
Block TCP flag scan |
Any TCP packet with the anomaly flag setting is dropped. Those scanning activities include no flag scan, FIN without ACK scan, SYN FINscan, Xmas scan and full Xmas scan. |
Block Tear Drop |
Many machines may crash when receiving ICMP datagrams (packets) that exceed the maximum length. To avoid this type of attack, the Vigor router is designed to be capable of discarding any fragmented ICMP packets with a length greater than 1024 octets. |
Block Ping of Death |
Ping of Death attack involves the perpetrator sending overlapping packets to the target hosts so that those target hosts will hang once they re-construct the packets. The Vigor routers will block any packets realising this attacking activity. |
Block ICMP fragment |
Any ICMP packets with more fragment bit set are dropped. |
Block Unassigned Numbers |
Individual IP packet has a protocol field in the datagram header to indicate the protocol type running over the upper layer. However, the protocol types greater than 100 are reserved and undefined at this time. Therefore, the router should have ability to detect and reject this kind of packets. |
Possible Risks of Enabling Defences
UDP Flood Defence |
The UDP Flood Defence function will drop UDP packets when receiving lots of UDP packets from the same source port in a short period of time. The default UDP flood threshold is 2000 packets in 10 seconds. As a result, UDP Flood Defence can be triggered by various services that use the UDP protocol. This can include online gaming sessions, simultaneous VoIP calls, or even internet services such as Google’s QUIC (Quick UDP Internet Connections) protocol which uses UDP for streaming and browsing. In addition, UDP Flood Defence may prevent IPsec VPN clients from running a speed test or transferring files, this includes IKEv2 and L2TP over IPsec. You can disable the UDP Flood Defence function to resolve these issues. Alternatively increase the threshold of the UDP Flood Defence to account for your network's maximum expected UDP packets, which is difficult to predict or calculate because different applications and usage can cause UDP packet counts to vary significantly, |
- First Published: 16/12/2020
- Last Updated: 22/04/2021