udp flood/spoof ip/request hurricane to mikrotik

porche · August 23, 2006, 10:05am

hi people,
I have met a new attack type, which is basically a udp flooding system which arrives from spoof ips, can saturate the mikrotik and causing all services to be down.
Is there a way to prevent this on mikrotik?
thank you.
kursad

changeip · August 23, 2006, 2:07pm

Are you dropping or rejecting these packets? If you reject you will be sending 1 for 1 packet back out which causes major problems.

Is this flood saturating the bandwidth available? If so, there is nothing you can do about it except identify the traffic and have your upstream filter what they can.

Sam

jo2jo · August 23, 2006, 10:40pm

how is your network set up? could this be internal? your post if very vague

porche · August 24, 2006, 6:41am

sorry to be very short in explanation
my config is

internet → mikrotik → server(s)

mikrotik behaves as a router, does dstnat+masq for the servers

i have filter rules on the firewall like, for more than 10 concurrent connections, but that’s only effective for tcp connections

for udp i applied also drop rules for the input, but that does not drop the traffic,

I have investigated the flood, this is a sample perl code as an example to the flood:

use IO::Socket::INET;
while (1==1) {
my $remote = “10.0.0.103”;
my $port = “80”;
my $ipaddr = inet_aton($remote);
my $portaddr = sockaddr_in($port, $ipaddr);
socket(SOCKET, PF_INET, SOCK_DGRAM, getprotobyname(“udp”)) or die “sock
et: $!”;

my $MSG = “1234567901234567890”;
#print “sent $MSG”;
send(SOCKET, $MSG, 0, $portaddr) == length($MSG) or print STDERR “chat s
erver, cannot comm between servers”;
close SOCKET;
}

which does automatically sends udp packets, on a 100 Mb network, this saturates 256K, the code is simple think of a threaded application, it can saturate the 100Mb network.

but the main issue is not the bandwidth, it’s the cpu load on mikrotik, in such an attack cpu load increases to %33-100

I have found a way to block also from the bridge level, i am investigating to automatically block from mac address,

any suggestions?

porche · August 30, 2006, 9:31am

hi,
found the solution as to put another filtering box in front of mikrotik, as a feedback,
kindly
k

porche · August 30, 2006, 9:40am

hi,
found the solution as to put another filtering box in front of mikrotik, as a feedback,
kindly
k