Introduction to Denial of Service (DoS) Defense

Vigor Router brings out Denial of Service (DoS) Defense feature to protect the user from unknown source attacks. In this note, we use UDP defense and blacklist as an example, that when the router detects UDP attack or the IP from the blacklist, it will block the Internet access for a timeout or the IP access, respectively. User can receive an alert log from Draytek Syslog utility software.

Configuring DoS Defense by UDP flood defense

1. Go to Firewall >> DoS Defense.

1. Click Enable DoS Defense.
2. Click Enable UDP flood Defense.
3. Enter the Threshold number.

About the Threshold

Note that it's required to adjust the threshold rate according to user's Internet bandwidth. For your instance, the maximum of MTU in the router is 1500 Bytes, and let's take threshold number 2000 as an example.

(Packet number) * (MTU) * (Byte transfer to bits) / 1,000,000 = Data flow (Mbps).
Packet number = Data flow (Mbps) * 1,000,000 / 8 / (MTU).
2,000 = 24 (Mbps) * 1,000,000 / 8 / 1,500.

Since the UDP flood attack isn't likely to use the maximum MTU number for transmission, threshold number 2000 packets/sec is the recommendation to 20Mbps bandwidth user. Following is a recommendation list for variety bandwidth user's reference. If users have a specific need for UDP transmission, please set the threshold more consciously.

20M Bandwidth: 2,000 (packets/sec).
60M Bandwidth: 5,000 (packets/sec)
100M Bandwidth: 8,000 (packets/sec)
300M Bandwidth: 25,000 (packets/sec)
500M Bandwidth: 42,000 (packets/sec)

Receiving defense alert logs

1. To receive Syslog alert about DoS, go to System Maintenance >> Syslog / Mail Alert to set the Syslog Access.

1. Check the Enable state.
2. Enter the Server IP.
3. Check the Firewall Log state.
4. Click the OK button to apply the settings.

Check the Firewall Syslog List on Draytek Syslog Utility. Network Administrator will receive an alert from the router when the router is under attack.

Configuring DoS Defense by White/Black List:

1. Go to Firewall >> DoS Defense.

1. Click Enable DoS Defense.
2. Click the white/black List Option.
3. Input IPs to IP whitelist or IP blacklist, which will be allowed or blocked to access to your router, respectively.

NOTE: For some models like Vigor2860, Vigor2925... the White/Black IP List is in Diagnostics >> DoS Flood Table.

Receiving defense alert logs:

Check the Firewall Syslog List on Draytek Syslog Utility. Network Administrator will receive the alert from the router when the IP in blacklist attempt to access.

Then go to Diagnostics >> Syslog Explorer from Router setup page, you will also see the IP is blocked.