A DoS attack on the TCP Listener

[maltyx]

Today I found some strange behavior of our Softether VPN server: Some of our remote clients stop to connect to the server and after reading the Server's log I found some errors, that comes from IPs that our remote VPN clients should to connect from: A error is "A DoS attack on the TCP Listener (port 443) has been detected" followed by IP of from client network.

After disabling "bool DisableDos" to false those client successfully connected to the server ...
So, now I have a dilemma: having DDoS protection OFF - not such a good idea .. but having remote client to be able to connect is more important..

Now the question - is there the way to enable DDoS protection on a Listener and also to manage a White List for public IPs (that remote client should to connect from)?

[moatazelmasry]

It depends on how many clients are you serving. Appearantly SE is programmed to recognize many TCP connections simultaneously as DOS.

See:
https://www.softether.org/4-docs/1-manu ... n_Protocol

"If you are about to conducting VPN communications by establishing 2 or more TCP/IP connections, you can specify how many seconds must pass after the immediately preceding TCP/IP connection has been established before another can be established beginning with the second one. The default setting is 1 second. This can be set to longer then 1 second.
Normaly you do not have to change this number (1 sec). However when you are trying to connect large number of TCP/IP (such as 32 connection) continuously, this may occur some physical or IP network problem as it is default setting number (1 sec). The firewall or IDS may confuse this connection as a “Dos attack” or “physical attack”. So if you are about to connect large number of TCP/IP continuously, try use this manual setting to loger second then 1. "

[maltyx]

Well, I think that some number of simultaneous VPN connections could trigger a thirdparty IDS software for DoS patterned atack... but I am talking about triggering VPN client incoming connections as DDoS atack BY Softether VPN server itself .. which should be "prepared" for such number of incoming connections .. isn't it?

[moatazelmasry]

tbh I'm not very familiar with that part of the code base, so I can not really tell how SE determines what is DOS and what is innocent traffic.

Could you still try this solution out of fun and see whether it helps

Out of curiosity, how many clients are connecting simultaneously usually?

[maltyx]

There are about 10 simultaneous remote clients that were tried to connect yesterday (some of them from the same IP source, the reason for DDoS triggering I believe) ..
After disabling automatic DDoS protection on the VPN server, those clients has been successfully connected .. so I am not looking for an instant solution, but for a kind of hardening of the system (White listing for remote clients while enabling Automatic DDoS protection on Softether VPN server.

http://www.softether.org/4-docs/1-manua ... nistration

When the VPN Server tries to process a large amount of incoming TCP/IP connection requests, a large amount of system resources are required. That is why the VPN Server is designed to detect when a SYN packet responsible for sending requests from an identical source arrives at a listener port and discards that connection immediately before processing to receive it begins. This is the VPN Server's automatic defense function for dealing with DoS attacks. This function is enabled in default mode.

[moatazelmasry]

As far as I can tell from the source code and the configuration, there is no "Whitelisting" of IPs regarding DOS

Personally I think it is a healthy thing to detect a DOS when 10 clients are initiating a connection from the same IP.

For now, my suggestion would be to increase the time between connections as specified in the first link I wrote

Also you can create an issue on github requesting the addition of a "Whitelisting" feature

Cheers
Moataz

[maltyx]

Well, I also haven't found such option in configuration ...
By the way, those clients did not tried to connect form the Same IP, but the same IP public subnet (IPs from one IP/24 subnet) ..
Thank You for advise, I will open a ticket on Project's Githut :)

[thisjun]

Anyway SoftEther doesn't have DDoS protection function. If you need it, you have to prepare it in another way.

[maltyx]

Well, there is some basic DDoS checker that altered by "bool DisableDos/EnableDos" because after disabling that key in server's config my clients could connect without being banned by the server..