What's new

DOS Protection

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

bertilak

Regular Contributor
Does anyone here enable DOS protection in their ASUS router? I ask to see if there are any gotchas or if there is any reason to do so.

I use the ASUS-supplied firmware.

I am on CenturyLink fiber behind a CenturyLink modem/router. I can log on and see/set the CL Router's configuration. It has no settings obviously about DOS.
 
Last edited:
The TCP rules below are also likely part of DoS protection.
Code:
# iptables -S | grep SECURITY
-N SECURITY
-A FORWARD -i eth0 -j SECURITY
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j logdrop
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j logdrop
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop
-A SECURITY -j RETURN

# iptables -L SECURITY
Chain SECURITY (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
logdrop    icmp --  anywhere             anywhere             icmp echo-request
RETURN     all  --  anywhere             anywhere
On the bad side, for example, a webserver could trigger these rules and availability would be intermittent.

On the good side, consumer internet access customers would not ordinarily be hosting anything. If there is an attack, dropping packets makes the attacking code hang until timeout instead of immediately being refused. This slows the attack and provides less information, perhaps slow enough for it to be contained within your ISP bandwidth, but perhaps not.
 
My router has the same iptables config, but DOS is off. Perhaps those are part of normal firewall settings. This is exactly like my system:
a2940849-297a-4c63-ac34-003de79ce602.gif
 
My router has the same iptables config, but DOS is off. Perhaps those are part of normal firewall settings. This is exactly like my system:
a2940849-297a-4c63-ac34-003de79ce602.gif
Whether the rules are in effect depends upon "-A FORWARD -i eth0 -j SECURITY".

I would be surprised if
  • DoS protection is disabled
  • and the FORWARD were in the output of "iptables -S"
 
Well, the router claims DOS is disabled. See screenshot above.

iptables has a bunch of SECURITY rules ans a bunch of FORWARD rules but no "-A FORWARD -i eth0 -j SECURITY".
 
Well, the router claims DOS is disabled. See screenshot above.

iptables has a bunch of SECURITY rules ans a bunch of FORWARD rules but no "-A FORWARD -i eth0 -j SECURITY".

Do these change after a reboot and waiting at least 10 minutes for the router to become idle?

Is this a difference between stock and RMerlin firmware versions?

After flashing the current firmware, was a full reset to factory defaults performed? Followed by a minimal and manual configuration of the router to just secure it and connect to the ISP?
 
Do these change after a reboot and waiting at least 10 minutes for the router to become idle?

Is this a difference between stock and RMerlin firmware versions?

After flashing the current firmware, was a full reset to factory defaults performed? Followed by a minimal and manual configuration of the router to just secure it and connect to the ISP?
@bertilak confirmed that the FORWARD rule (-A FORWARD -i eth0 -j SECURITY) which enables DoS Protection (via the iptables SECURITY chain) is missing.

This is as expected since DoS Protection is not enabled. What had been noticed is that the DoS rules are defined whether or not they are actually used.
 
@bertilak confirmed that the FORWARD rule (-A FORWARD -i eth0 -j SECURITY) which enables DoS Protection (via the iptables SECURITY chain) is missing.

This is as expected since DoS Protection is not enabled. What had been noticed is that the DoS rules are defined whether or not they are actually used.

I'm trying to confirm if this is a case of inter-firmware interactions that a full reset to factory defaults would clear up. :)
 
Uptime is 1 days 4 hours 27 minute(s) 1 seconds. That is more than 10 minutes.

Everything seems to be just as expected. I never enabled DOS, the router's web page reports it as disabled and it seems to be properly disabled per iptables so there is no apparent reason to go through a forensic exercise to prove or disprove anything.

The original post was a question about the WISDOM of enabling DOS protection and the possible consequences, not a question about HOW to enable it nor how to verify that it is properly enabled or disabled.

P.S. I have never used RMerlin firmware.
 
Uptime is 1 days 4 hours 27 minute(s) 1 seconds. That is more than 10 minutes.

Everything seems to be just as expected. I never enabled DOS, the router's web page reports it as disabled and it seems to be properly disabled per iptables so there is no apparent reason to go through a forensic exercise to prove or disprove anything.

The original post was a question about the WISDOM of enabling DOS protection and the possible consequences, not a question about HOW to enable it nor how to verify that it is properly enabled or disabled.

P.S. I have never used RMerlin firmware.

I think you're missing the point of my post.

EmeraldDeer is using RMerlin firmware, you are not. That may be important.

A GUI initiated reboot allows the firmware to shut down and boot up gracefully. That is usually sufficient to put certain settings as they should. ;)

I also don't care if its properly enabled or disabled. But I do care that the reporting here is as accurate as it can be. ;)

My original questions stand. I don't know if or how they would affect the outcome, but they may.
 
To get back to my original question...
  1. No one jumped in and said I'd be a fool NOT to enable DoS protection.
  2. Disabled is the factory default.
  3. A DoS attack would likely succeed of fail as it hit the CenturyLink router and, either way, never get to my router. After all, it's the router's address that is visible to the world.
Bottom line -- I'll leave it alone -- not enabled.

Thanks for the help, even if the help was basically a LACK of excitement about ignoring the setting -- number 1 above.
 
To get back to my original question...
  1. No one jumped in and said I'd be a fool NOT to enable DoS protection.
  2. Disabled is the factory default.
  3. A DoS attack would likely succeed of fail as it hit the CenturyLink router and, either way, never get to my router. After all, it's the router's address that is visible to the world.
Bottom line -- I'll leave it alone -- not enabled.

Thanks for the help, even if the help was basically a LACK of excitement about ignoring the setting -- number 1 above.

Or, you can just be a little more patient and wait until others come by and see this thread too. :)
 
Doing nothing and patience go well together.:)

Yes, but your posts seem like you wanted answers and you wanted answers, now! :D
 
Does anyone here enable DOS protection in their ASUS router?
FWIW I've never enabled DOS protection on any of the routers I've owned. But then I don't have any services exposed to the internet which might create attention.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top