DDoS protection
Protection against DoS attacks and SYN floods is built into the Linux kernel used in the Keenetic device's operating system. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are based on opening a large number of connections to the device. From the point of view of the target, DDoS attacks are indistinguishable from peer-to-peer network activity. Due to their nature, DDoS attacks, and therefore protection against them, are not particularly relevant for home access devices or the SOHO segment. DDoS attacks are usually directed at corporate structures, public websites, data centres, etc. Distributed denial-of-service attacks are usually effectively eliminated on the provider's side.
Starting with OS version 4.3, Keenetic devices have improved network security thanks to automatic protection against DDoS attacks, which aim to prevent the conntrack connection table (active connections) from overflowing.
The following commands have been added to the command-line interface (CLI):
ip conntrack max-entries {max-entries} — set the size of the conntrack table.
ip conntrack lockout disable — turn off conntrack table protection (enabled by default).
ip conntrack lockout threshold public {public} — set the maximum number of connections from public interfaces (percentage of the conntrack table size, from 50 to 99, default value is 80).
ip conntrack lockout duration {duration} — set the lockout duration in seconds (from 60 to 3600, default value is 600).
ip conntrack sweep threshold {threshold} — set the threshold for starting to clear pending sessions (percentage of the conntrack table size, from 50 to 99, default value: 70).
show ip conntrack lockout — view the lockout status.
Important
The commands mentioned in this article are intended for experienced users.
Each device has its own default settings, which are determined by its performance and hardware capabilities. It is recommended to use the manufacturer's default settings and limit the number of sessions on a client device that creates a large number of sessions. Use the commands listed with caution, as incorrect settings can potentially lead to device instability.
By default, conntrack connection table protection is enabled on the device.
When the table is 80% full (the default preset value), overflow protection is triggered. Messages such as the following will appear in the device logs:
nf_conntrack: lockout threshold reached (16384), public connections locked for 600 s
Typically, gigabit models have a table size of 16384 entries, while higher-end models have 32768 entries. Accordingly, the limit for 80% table fill will be ~13,000 and ~26,000 entries.
If you see messages in your device's logs about the conntrack connection table being full or overflow protection kicking in, it could mean there's a virus (Trojan) on your local network or a DDoS attack from the Internet (if your device has a public WAN IP address).