On the Anti-DoS/Flooding tab you can configure certain options aimed at defending Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
Generally speaking, DoS and DDoS attacks try to make a computer resource unavailable for legitimate requests. In the simplest case, the attacker overloads the server with useless packets in order to overload its performance. Since a large bandwidth is required for such attacks, more and more attackers start using so-called SYN flood attacks, which do not aim at overloading the bandwidth, but at blocking the system resources. For this purpose, they send so-called SYN packets to the TCP port of the service often with a forged sender address, thus causing the server to spawn a half-open connection by sending back a TCP/SYN-ACK packet, and waiting for an TCP/ACK packet in response from the sender address. However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests.
Such attacks, however, can be prevented by limiting the amount of SYN (TCP), UDP, and ICMP packets being sent into your network over a certain period of time.
To enable SYN (TCP) flood protection, proceed as follows:
- On the Anti-DoS/Flooding tab, select the checkbox Use TCP SYN Flood Protection.
Make the following settings:
Mode: The following modes are available:
- Source and destination addresses: Select this option if you want to drop SYN packets by both their source and destination IP address. First, SYN packets matching the source IP address are restricted to the source packet rate value specified below. Second, if there are still too many requests, they will additionally be filtered according to their destination IP address and restricted to the destination packet rate value specified below. This mode is set as default.
- Destination address only: Select this option if you want to drop SYN packets according to the destination IP address and destination packet rate only.
- Source address only: Select this option if you want to drop SYN packets according to the source IP address and source packet rate only.
Logging: This option lets you select the log level. The following levels are available:
- Off: Select this log level if you want to turn logging completely off.
- Limited: Select this log level to limit logging to five packets per seconds. This level is set as default.
- Everything: Select this log level if you want verbose logging for all SYN (TCP) connection attempts. Note that SYN (TCP) flood attacks may lead to extensive logging.
Source packet rate: Here you can specify the rate of packets per second that is allowed for source IP addresses.
Note – It is important to enter reasonable values here, for if you set the rate too high, your webserver, for instance, might fail because it cannot deal with such an amount of SYN (TCP) packets. On the other hand, if you set the rate too low, your gateway might show some unpredictable behavior by blocking regular SYN (TCP) requests. Reasonable settings for every system heavily depend on your hardware. Therefore, replace the default values by numbers that are appropriate for your system.
Your settings will be saved.
UDP Flood Protection detects and blocks UDP packet floods. The configuration of UDP Flood Protection is identical to TCP SYN Flood Protection.
ICMP Flood Protection detects and blocks ICMP packet floods. The configuration of ICMP Flood Protection is identical to TCP SYN Flood Protection.