What does enable DoS protection in Synology DSM 5 do

denial-of-servicedsmsynology

If I open Control Panel > Security > Protection, check Enable DoS Protection and click Apply, what kind of traffic gets blocked?

The text reads "Denial-of-Service (DoS) protection helps to prevent malicious attacks over the internet."

I cannot find more detailed information about this.

What more precisely does this DoS protection do except helping to "prevent malicious attacks"? How does it know which are malicious attacks and which are valid requests?

I need some better definition of what gets blocked, so I do not happen to block valid traffic by mistake if I enable this.

And in this particular case, I need to support an application that unfortunately needs to make about 150 connections simultaneously or in quick succession…

Best Answer

Not an answer yet, but some input:

iptables-save output on "DSM 5.2-5644 Update 5":

With DoS protection off:

# Generated by iptables-save v1.4.21 on Sat Feb 20 23:23:24 2016
*filter
:INPUT ACCEPT [6161:1075680]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5604:2995833]
:DEFAULT_INPUT - [0:0]
-A INPUT -j DEFAULT_INPUT
-A DEFAULT_INPUT -p tcp -m tcp --sport 53 -m length --length 2048:65535 -j DROP
-A DEFAULT_INPUT -p udp -m udp --sport 53 -m length --length 2048:65535 -j DROP
COMMIT
# Completed on Sat Feb 20 23:23:24 2016

With DoS protection on:

# Generated by iptables-save v1.4.21 on Sat Feb 20 23:24:27 2016
*filter
:INPUT ACCEPT [10:1306]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6:2003]
:DEFAULT_INPUT - [0:0]
:DOS_PROTECT - [0:0]
-A INPUT -j DOS_PROTECT
-A INPUT -j DEFAULT_INPUT
-A DEFAULT_INPUT -p tcp -m tcp --sport 53 -m length --length 2048:65535 -j DROP
-A DEFAULT_INPUT -p udp -m udp --sport 53 -m length --length 2048:65535 -j DROP
-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 10000/sec --limit-burst 100 -j RETURN
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
COMMIT
# Completed on Sat Feb 20 23:24:27 2016

No relevant changes between the respective outputs of sysctl -a (only runtime values change, like inode number)

In all cases, tc -p class show dev eth0 and tc -p qdisc show dev eth0 show default settings.

> tc -p class show dev eth0
class mq :1 root 
class mq :2 root 
class mq :3 root 
class mq :4 root 
class mq :5 root 
class mq :6 root 
class mq :7 root 
class mq :8 root 
> tc -p qdisc show dev eth0
qdisc mq 0: root

Related Solutions

Nginx – Accessing synology DSM behind nginx reverse proxy

I managed to get it working, not sure why

Only port 443 somehow reacted
It was all white before until I c/ced all the header from location / to location for image caching.

    upstream nas {
           server 192.168.0.123:443;
    }

    server {
            listen 80;
            return 302 https://$server_name$request_uri;
    }

    server {
        server_name nas.my.domain;

        listen 443 ssl http2;
        # listen [::]:443 ssl http2;

        access_log  /var/log/nginx/nas.access.log;
        error_log   /var/log/nginx/nas.error.log;

            ssl_certificate /etc/letsencrypt/live/nas.my.domain/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/nas.my.domain/privkey.pem;
            include /etc/nginx/include/diffie-hellman;

            client_max_body_size 2m;

            location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|woff|)$ {
                access_log off;
                expires 30d;
                add_header Pragma public;
                add_header Cache-Control "public, mustrevalidate, proxy-revalidate";
                proxy_set_header HOST $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-NginX-Proxy true;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
                proxy_pass https://nas;
                proxy_redirect off;
                proxy_buffering off;
            }

            location / {
                proxy_set_header HOST $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-NginX-Proxy true;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
                proxy_pass https://nas;
                proxy_redirect off;
                proxy_buffering off;
            }

    }

How to use .htaccess in a non open-basedir path of Synology/DSM 6.1

I finally figure out the problem. The latest versions of DSM are using nginx by default instead of apache, as a web server. And nginx is not using htaccess files.

Best Answer

Related Solutions

Nginx – Accessing synology DSM behind nginx reverse proxy

How to use .htaccess in a non open-basedir path of Synology/DSM 6.1

Related Topic