I own a small network and I would like to change some equipment: router and switch and I was thinking to buy CCR1036-8G-2S+ as router and CRS226-24G-2S+RM switch.
The router connects to the ISP’s (3 isps) and the switch connects to the router (10 gb link). The servers connects to the switch (1 gb link).
I provide some hosting services (like VPS, VDS) and I have the next issue: sometimes, some of the clients that do not wish to continue with the services starts to flood other networks. In general the flood (dos) is not with high traffic (20-30 Mb) but with very high pakets per second (like 100.000 pps).
I would like to stop that clients so they are not able to send, lets say more than 30.000 pps to one destination (one IP). Take into account that putting the port into shut is not an option, because on that port/server there are other clients.
So, it shoud stop traffic that its one-to-one, not one-to-many, because I have clients that are seding more than 90.000 pps and its good traffic.
The non legitim traffic (high pps) should be stop on the switch, because, it happened that one client attacked another client (same /24 subnet).
Are Mikrotik hardware capable of such configuration?
You could use rate limit in a firewall filter rule to detect a customer DDoSing another, then put its ip on a black address list.
However you’ll had to do it on the switch, whose CPU isn’t intended for high throughput firewalling or routing, so depending on your scenario may or not cope with the load.
A better approach would be each customer having its own VLAN up to the CCR, then do the filtering there.
The problem is that I do not what to limit pps for my IP address to many IP’s. I need to block traffic from my IP address going to only one IP address (DOS).
If i only rate-limit my IP, I could end up with blocking legitimate traffic. As I said, i have client that generate more than 90.000 pps (but to many IP’s, not a single IP).
For blocking customers to flood other networks, I will implement the firewall on the router and thr traffic will not leave my network.
But I also need to get rid of internal floods.
VLAN’s and not really an option, because for each VLAN I will loose some public IP’s.
Tricky question, that will depend on what is “normal” PPS between a given IP and your internal IP.
Trying to fight DDOS this way is innefficient, time consuming and your bandwidth gets consumed anyway; have you asked your upstream provider if they can provide you such service?
Is better to stop those kind of DDoS by other techniques, like blackholing by BGP.
You can use /32 addressing and not lose any IP addresses. On the router (which will be the default gateway, 192.168.12.1 in this example, for all your VLANs):