Hi,
Any ideas of the date for the 72 Core CCR and how many 10Gb/s interfaces full wirespeed?
Thanks
Tony
Would it help to disable conntrack on border (bgp speaking) routers? How are the results on the field? Anyone tried?Very simple light ddos attacks drops any Mikrotik router if conn tracking is on with a few firewall and NAT rules currently.
I dont think it will change with the 72 core router anyway.
What other firewall rules are you running and are you fasttracking the connections?Getting DDos attack on my new 72 Core CCR I already implemented the rule below and still kills my router I have a 10G backbone and when it hits 3gig of DDos it dies on me. Also when I call my provider it never reach 10Gig. Any idea what to do??? or just get a better router
/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
Ok so the performance you are getting is exactly on par with what Mikrotik advertises.Yes I do have other firewall rules but only blocking ports and access list. As to fasttracking connection how do I set that up. I will also ask my provider for the BGP info
I would remove all firewall rules entirely and disable connection tracking as this will enable Fastpath on the router automatically (You can confirm by going to IP => Settings).Thanks I will try this I do have like 60 firewall rules shoe I leave only the DDoser and DDosed rule in place?