Page 1 of 1

Instability under ddos attack

Posted: Wed Aug 28, 2013 8:35 pm
by Semir
Hi,

I experienced router restart under DDOS attack for the second time.

Also once when the network was under attack (1Gbit+), it switched it's ports off and on.

Is there a cause/solution for this?

Thank you!
Bests,
Semir

Re: Instability under ddos attack

Posted: Thu Aug 29, 2013 1:34 pm
by normis
This is why it is called an "attack". What kind of device is this router?

There are many approaches to limiting effect from a DDoS attack: https://www.google.com/search?q=DDOS&si ... 8&oe=utf-8

Re: Instability under ddos attack

Posted: Thu Aug 29, 2013 1:36 pm
by Semir
Hi,
thank you for your response.

you missunderstand something. The router rebooted cause of watchdog timer.

Re: Instability under ddos attack

Posted: Thu Aug 29, 2013 1:38 pm
by normis
Yes, and watchdog was triggered by instability of router, which is caused by the attack. This is the result of the attack, and lack of protective measures.

Re: Instability under ddos attack

Posted: Thu Aug 29, 2013 1:58 pm
by Semir
sorry, Im not getting your point.
Why should it be instable undre an attack?

Re: Instability under ddos attack

Posted: Thu Aug 29, 2013 2:00 pm
by Semir
Also please find my current firewall below:

add action=drop chain=forward comment="IP Spoofing protection" in-interface=InetIn src-address=84.xx.xx.xx/24
add action=drop chain=input comment="Drop Incoming DNS req" dst-port=53 in-interface=InetIn protocol=udp
add action=drop chain=input dst-port=53 in-interface=InetIn protocol=tcp
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid protocol=tcp
add action=jump chain=forward comment="SSH brute force protection" connection-state=new dst-port=22 in-interface=InetIn \
jump-target=SSH_Protection protocol=tcp src-address=!6x.xx.xx.xx
add action=drop chain=SSH_Protection src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=12m chain=SSH_Protection src-address-list=\
ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1s chain=SSH_Protection
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10s chain=SSH_Protection src-address-list=\
ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=10s chain=SSH_Protection src-address-list=\
ssh_stage2
add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=\
syn,!ack
add action=return chain=SYN-Protect connection-state=new dst-limit=1000,1000,dst-address protocol=tcp tcp-flags=syn,!ack
add action=drop chain=SYN-Protect src-address-list=synner
add action=add-src-to-address-list address-list=synner address-list-timeout=10m chain=SYN-Protect
add action=drop chain=forward dst-address-list=udp_flooded
add action=drop chain=forward src-address-list=udp_flooder
add action=jump chain=forward comment="UDP Flood Protection" connection-state=new jump-target=udp_flood protocol=udp
add action=return chain=udp_flood dst-limit=2000,2000,src-and-dst-addresses
add action=add-src-to-address-list address-list=udp_flooder address-list-timeout=10m chain=udp_flood
add action=add-dst-to-address-list address-list=udp_flooded address-list-timeout=1d chain=udp_flood
add action=jump chain=forward comment="Ping Flood Protection" jump-target="Ping Flood Protection" protocol=icmp
add action=return chain="Ping Flood Protection" dst-limit=200,200,src-and-dst-addresses protocol=icmp
add action=drop chain="Ping Flood Protection" protocol=icmp src-address-list=ping_floodders
add action=add-src-to-address-list address-list=ping_floodders address-list-timeout=10m chain="Ping Flood Protection"
add action=add-dst-to-address-list address-list=synflooded chain=SYN-Protect

Re: Instability under ddos attack

Posted: Thu Aug 29, 2013 2:05 pm
by normis
What kind of hardware is it?

DDoS attack will fill your router resources, so your router will have problems processing legitimate traffic. It should not be rebooted. Maybe you have a hardware problem after all

Re: Instability under ddos attack

Posted: Thu Aug 29, 2013 2:08 pm
by Semir
It's a CCR1036-12G-4S
With the current ruleset the CPU load is around 25-30% @1Gbit DDOS.

Re: Instability under ddos attack

Posted: Thu Aug 29, 2013 2:17 pm
by normis
do you use RouterOS v6.2 or v6.3?

Re: Instability under ddos attack

Posted: Thu Aug 29, 2013 2:29 pm
by Semir
It updated itself to 6.2 and now says it is up-to-date.

I did not even know there is a 6.3 and cannot find it either.

Re: Instability under ddos attack

Posted: Fri Aug 30, 2013 10:40 am
by Semir
which is the most stabile version?

Re: Instability under ddos attack

Posted: Fri Aug 30, 2013 11:52 am
by normis
v6.2 should be much better under DDoS attack. v6.3 will be released today or next week, test version is available upon request

Re: Instability under ddos attack

Posted: Sat Aug 31, 2013 2:09 pm
by Semir
Nope, thanks, I need the most stable one.

Re: Instability under ddos attack

Posted: Sat Aug 31, 2013 2:26 pm
by Semir
aug/31/2013 12:23:35 system,error,critical router was rebooted without proper shutdown, probably kernel failure

happened again.
exact scenario:
-- receiving ddos on ipv6 (not huge, ~300-400Mbit)
-- editing firewall settings
crash.

Re: Instability under ddos attack

Posted: Sat Aug 31, 2013 3:14 pm
by Semir
Hi,
new exp:

the tools/profile shows 90% idle, while system/resources show 100% load.

http://kepfeltoltes.hu/130831/resources ... es.hu_.png

even though the traffic was the same like minutes ago but then the load was 35%.

Any ideas?
Thank you!

Re: Instability under ddos attack

Posted: Sat Aug 31, 2013 5:53 pm
by Semir
Turned off watchdog timer.
Router restarted.
(Which is good, too, as a brick would be worse.)
Nothing in the logs.
I jsut see all the counters reset.

Re: Instability under ddos attack

Posted: Mon Sep 02, 2013 12:47 pm
by normis
We will release v6.3 today or tomorrow, only an SSTP issue is remaining, so you can safely try it.
If your issue was not fixed by upgrading to v6.2, please email support@mikrotik.com with your supout.rif file, and we will see why this happens.

Re: Instability under ddos attack

Posted: Fri Sep 06, 2013 10:19 pm
by Semir
Sorry, almost forgot to Thank You!

Re: Instability under ddos attack

Posted: Sat Sep 07, 2013 3:15 pm
by infused
bumping. Keen to know the outcome of this.

Re: Instability under ddos attack

Posted: Sat Sep 07, 2013 5:10 pm
by Semir
As I saw 6.3 did have some update on gbit links, but Im still waiting for feedbacks on 6.3 issues/stability.

Also I found that 500-700Mbit IPv6 DDOS traffic loads the cores to 100% (with 2 FW rules only), so ipv6 ddos above 700Mbit may have triggered the watchdog.
But this does not answer the cases when ports flipped or router was rebooted under an ipv4 ddos.

I had sent away problematic clients already, so I hope I wont be able to do further investigations in ddos attacks XD

Re: Instability under ddos attack

Posted: Fri Nov 08, 2013 8:49 pm
by Semir
Router stable with CPU freq set to 600MHz.
Mikrotik support told me to return it to them.
...

Ofc, no replacement device supplied.

Re: Instability under ddos attack

Posted: Mon Nov 11, 2013 1:26 pm
by normis
Router stable with CPU freq set to 600MHz.
Mikrotik support told me to return it to them.
...

Ofc, no replacement device supplied.
To clarify, you were asked to return it to the distributor, not MikroTik. The Distributor then could give you a replacement unit, depending on where you bought it.

Re: Instability under ddos attack

Posted: Tue Nov 12, 2013 11:56 am
by Semir
Router stable with CPU freq set to 600MHz.
Mikrotik support told me to return it to them.
...

Ofc, no replacement device supplied.
To clarify, you were asked to return it to the distributor, not MikroTik. The Distributor then could give you a replacement unit, depending on where you bought it.
what does this clarify?
It goes back to MikroTik and noone gives any replacement units.
The fact that it goes throught the distributor does not change anythings.

Re: Instability under ddos attack

Posted: Tue Nov 12, 2013 12:00 pm
by normis
Router stable with CPU freq set to 600MHz.
Mikrotik support told me to return it to them.
...

Ofc, no replacement device supplied.
To clarify, you were asked to return it to the distributor, not MikroTik. The Distributor then could give you a replacement unit, depending on where you bought it.
what does this clarify?
It goes back to MikroTik and noone gives any replacement units.
The fact that it goes throught the distributor does not change anythings.
MikroTik does provide a free compensation program with immediate replacement if the unit if faulty. This is up to your distributor to provide it to you a loan unit. Please understand that we are located in another country, we can't easily loan you a replacement unit while distributor is repairing or replacing it with us.

Re: Instability under ddos attack

Posted: Mon Nov 18, 2013 2:49 pm
by Semir
MikroTik does provide a free compensation program with immediate replacement if the unit if faulty. This is up to your distributor to provide it to you a loan unit. Please understand that we are located in another country, we can't easily loan you a replacement unit while distributor is repairing or replacing it with us.

Mikrotik contacted the distributor which was quite nice of them.
I understand that the distributor's attitude is not miktorik's responsibility.
They offered a replacement but only after they received the device, which would be a stalemate again :)
However, it is no longer an issue, I just could not yet replace it with my backup device. At least it showed the necessity for a hot spare...