Community discussions

MikroTik App
  4. RouterOS
  5. General

Need Help with Incoming Bursts!

Post Reply
 
SoKaR
newbie
Topic Author
Posts: 47
Joined: Fri Dec 03, 2010 11:15 pm

Need Help with Incoming Bursts!

Sat Jul 20, 2013 12:42 pm

Hello together,

since a few weeks i can watch irregular incoming bursts, but i don't know how i can handle it in a better way. Maybe someone could help me with that problem?

Here are my filters what i've done till now:
Code: Select all
 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Allow Input AccessList
     chain=input action=accept src-address-list=AccessList 

1   ;;; Allow AccessList to RFC1918
     chain=forward action=accept src-address-list=AccessList dst-address-list=rfc1918 

 2   ;;; Drop ext. DNS Query
     chain=input action=drop protocol=udp in-interface=Backbone-Port1 dst-port=53 

 3   ;;; Log all prot. Bursts
     chain=input action=log connection-limit=3,32 log-prefix="BURST BLOCK" 

 4   ;;; Slow Down Blacklist
     chain=input action=tarpit protocol=tcp src-address-list=blocked-addr connection-limit=3,32 

 5   ;;; Drop all prot. Blacklist
     chain=input action=drop src-address-list=blocked-addr connection-limit=3,32 

 6   ;;; Blacklist Bursts
     chain=input action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d connection-limit=3,32 

 7   ;;; SYN Flood protect
     chain=input action=jump jump-target=SYN-Protect tcp-flags=syn connection-state=new protocol=tcp 

 8   chain=SYN-Protect action=accept tcp-flags=syn connection-state=new protocol=tcp limit=10,5 

 9   chain=SYN-Protect action=drop tcp-flags=syn connection-state=new protocol=tcp 

10 X ;;; Log RFC1918
     chain=forward action=log src-address-list=!rfc1918 dst-address-list=rfc1918 log-prefix="DROP RFC1918" 

11   ;;; Drop RFC1918
     chain=forward action=drop src-address-list=!rfc1918 dst-address-list=rfc1918
Burst.png

How can i throttle these bursts?
You do not have the required permissions to view the files attached to this post.
Top
 
jaykay2342
Member
Member
Posts: 336
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Need Help with Incoming Bursts!

Sat Jul 20, 2013 3:09 pm

are these bursts legitimate traffic or is it an attack? What kind of traffic is it? Is it somehow a DoS or DDoS?
Top
 
SoKaR
newbie
Topic Author
Posts: 47
Joined: Fri Dec 03, 2010 11:15 pm

Re: Need Help with Incoming Bursts!

Sat Jul 20, 2013 3:13 pm

These bursts are any kind of attacks. If i would know which kind of packets are sent, i could stop that :-/ Don't know how to track this. It looks like a DDoS yes ... Any ideas how i can stop that or to find out which protocolls these are?
Top
 
jaykay2342
Member
Member
Posts: 336
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Need Help with Incoming Bursts!

Sat Jul 20, 2013 3:34 pm

To give a useful suggestion how to mitigate this attacks it's necessary to know what's going on.

Have a look at the Torch tool which might be helpful to gain more information

http://wiki.mikrotik.com/wiki/Manual:Tr ... l_torch.29
Top
 
SoKaR
newbie
Topic Author
Posts: 47
Joined: Fri Dec 03, 2010 11:15 pm

Re: Need Help with Incoming Bursts!

Sat Jul 20, 2013 3:39 pm

Thanks for the advise, but you will understand i can't sit 24 hours in front of the torch tool. We also have more than 60k connections / second from our customers, so torch tool hangs up many times.
Top
 
jaykay2342
Member
Member
Posts: 336
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Need Help with Incoming Bursts!

Sat Jul 20, 2013 4:30 pm

ok i have to admit that the load on that link and torch might be a problem ... this is something you might want to test before in a lab. you can use the bandwidth monitor tool to send out an email once you facing a burst and jump in to investigate. if the router/torch is not powerful enough i suggest a powerful server + linux + bridge of 2 gbit interfaces + all the nice tools to investigate you have on linux ... you can put it transparent in front of your routers backbone-port.
i did that in the past: in a datacenter we had 1 server just for such purpose and it's even possible to put it transparent in between without re-cabling ( just by changing vlan config on the switch )
Top
 
SoKaR
newbie
Topic Author
Posts: 47
Joined: Fri Dec 03, 2010 11:15 pm

Re: Need Help with Incoming Bursts!

Sun Jul 21, 2013 1:00 am

Sounds good, but i would prefer another opportunity if it's possible. What Filterrules could i add to "track" these massive bursts?
Top
 
jaykay2342
Member
Member
Posts: 336
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Need Help with Incoming Bursts!

Sun Jul 21, 2013 10:36 am

you could add some filterrules for different ports/protocols just with accept action and then monitor the hit-counters. it's difficult to say which rule exactly are the best one as we not know what we are looking for. it might be enough to see in which direction you need to investigate further, but tools like iftop or torch give you more realtime information and you can jump between different "views": who's top talker? which protocol make the most traffic? ...
Top
 
SoKaR
newbie
Topic Author
Posts: 47
Joined: Fri Dec 03, 2010 11:15 pm

Re: Need Help with Incoming Bursts!

Sun Jul 21, 2013 11:26 am

Thanks again ;-)
Now i believe i found the right way: http://wiki.mikrotik.com/wiki/Manual:Connection_Rate
Will test it with logging and throttling so i can get more informations out of it.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 100 guests
  4. RouterOS
  5. General