1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

DOS Protection

Discussion in 'ASUS AC Routers & Adapters' started by bertilak, Apr 19, 2019.

Tags:
  1. bertilak

    bertilak Occasional Visitor

    Joined:
    Jun 16, 2018
    Messages:
    12
    Does anyone here enable DOS protection in their ASUS router? I ask to see if there are any gotchas or if there is any reason to do so.

    I use the ASUS-supplied firmware.

    I am on CenturyLink fiber behind a CenturyLink modem/router. I can log on and see/set the CL Router's configuration. It has no settings obviously about DOS.
     
    Last edited: Apr 19, 2019
  2. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,105
  3. EmeraldDeer

    EmeraldDeer Senior Member

    Joined:
    Dec 22, 2017
    Messages:
    490
    Location:
    Massachusetts
    The TCP rules below are also likely part of DoS protection.
    Code:
    # iptables -S | grep SECURITY
    -N SECURITY
    -A FORWARD -i eth0 -j SECURITY
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j logdrop
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j logdrop
    -A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
    -A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop
    -A SECURITY -j RETURN
    
    # iptables -L SECURITY
    Chain SECURITY (1 references)
    target     prot opt source               destination
    RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
    logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN
    RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
    logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST
    RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
    logdrop    icmp --  anywhere             anywhere             icmp echo-request
    RETURN     all  --  anywhere             anywhere
    
    On the bad side, for example, a webserver could trigger these rules and availability would be intermittent.

    On the good side, consumer internet access customers would not ordinarily be hosting anything. If there is an attack, dropping packets makes the attacking code hang until timeout instead of immediately being refused. This slows the attack and provides less information, perhaps slow enough for it to be contained within your ISP bandwidth, but perhaps not.
     
  4. bertilak

    bertilak Occasional Visitor

    Joined:
    Jun 16, 2018
    Messages:
    12
    My router has the same iptables config, but DOS is off. Perhaps those are part of normal firewall settings. This is exactly like my system:
    [​IMG]
     
  5. EmeraldDeer

    EmeraldDeer Senior Member

    Joined:
    Dec 22, 2017
    Messages:
    490
    Location:
    Massachusetts
    Whether the rules are in effect depends upon "-A FORWARD -i eth0 -j SECURITY".

    I would be surprised if
    • DoS protection is disabled
    • and the FORWARD were in the output of "iptables -S"
     
  6. bertilak

    bertilak Occasional Visitor

    Joined:
    Jun 16, 2018
    Messages:
    12
    Well, the router claims DOS is disabled. See screenshot above.

    iptables has a bunch of SECURITY rules ans a bunch of FORWARD rules but no "-A FORWARD -i eth0 -j SECURITY".
     
  7. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,105
    Do these change after a reboot and waiting at least 10 minutes for the router to become idle?

    Is this a difference between stock and RMerlin firmware versions?

    After flashing the current firmware, was a full reset to factory defaults performed? Followed by a minimal and manual configuration of the router to just secure it and connect to the ISP?
     
  8. EmeraldDeer

    EmeraldDeer Senior Member

    Joined:
    Dec 22, 2017
    Messages:
    490
    Location:
    Massachusetts
    @bertilak confirmed that the FORWARD rule (-A FORWARD -i eth0 -j SECURITY) which enables DoS Protection (via the iptables SECURITY chain) is missing.

    This is as expected since DoS Protection is not enabled. What had been noticed is that the DoS rules are defined whether or not they are actually used.
     
    L&LD likes this.
  9. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,105
    I'm trying to confirm if this is a case of inter-firmware interactions that a full reset to factory defaults would clear up. :)
     
  10. bertilak

    bertilak Occasional Visitor

    Joined:
    Jun 16, 2018
    Messages:
    12
    Uptime is 1 days 4 hours 27 minute(s) 1 seconds. That is more than 10 minutes.

    Everything seems to be just as expected. I never enabled DOS, the router's web page reports it as disabled and it seems to be properly disabled per iptables so there is no apparent reason to go through a forensic exercise to prove or disprove anything.

    The original post was a question about the WISDOM of enabling DOS protection and the possible consequences, not a question about HOW to enable it nor how to verify that it is properly enabled or disabled.

    P.S. I have never used RMerlin firmware.
     
    Ronald Schwerer likes this.
  11. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    604
    There's never been a router our good friend @L&LD didn't want to reset. :D
     
    #TY, Ronald Schwerer and L&LD like this.
  12. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,105
    I think you're missing the point of my post.

    EmeraldDeer is using RMerlin firmware, you are not. That may be important.

    A GUI initiated reboot allows the firmware to shut down and boot up gracefully. That is usually sufficient to put certain settings as they should. ;)

    I also don't care if its properly enabled or disabled. But I do care that the reporting here is as accurate as it can be. ;)

    My original questions stand. I don't know if or how they would affect the outcome, but they may.
     
    Dave Parker likes this.
  13. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,105
    Just asking, just asking. :)
     
  14. bertilak

    bertilak Occasional Visitor

    Joined:
    Jun 16, 2018
    Messages:
    12
    To get back to my original question...
    1. No one jumped in and said I'd be a fool NOT to enable DoS protection.
    2. Disabled is the factory default.
    3. A DoS attack would likely succeed of fail as it hit the CenturyLink router and, either way, never get to my router. After all, it's the router's address that is visible to the world.
    Bottom line -- I'll leave it alone -- not enabled.

    Thanks for the help, even if the help was basically a LACK of excitement about ignoring the setting -- number 1 above.
     
  15. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,105
    Or, you can just be a little more patient and wait until others come by and see this thread too. :)
     
    Dave Parker likes this.
  16. bertilak

    bertilak Occasional Visitor

    Joined:
    Jun 16, 2018
    Messages:
    12
    Doing nothing and patience go well together.:)
     
    Dave Parker and L&LD like this.
  17. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,105
    Yes, but your posts seem like you wanted answers and you wanted answers, now! :D
     
    Dave Parker likes this.
  18. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,309
    Location:
    UK
    FWIW I've never enabled DOS protection on any of the routers I've owned. But then I don't have any services exposed to the internet which might create attention.
     
  19. DarkKnight75

    DarkKnight75 Occasional Visitor

    Joined:
    Apr 18, 2019
    Messages:
    17
    Mine is on...no services on the internet.
     
  20. Ronald Schwerer

    Ronald Schwerer Senior Member

    Joined:
    Jan 8, 2017
    Messages:
    307
    What's the down-side of turning DoS ON for plain-old everyday home usage?