Community discussions

MikroTik App
 
Semir
newbie
Topic Author
Posts: 37
Joined: Tue Aug 20, 2013 6:29 am

Instability under ddos attack

Wed Aug 28, 2013 8:35 pm

Hi,

I experienced router restart under DDOS attack for the second time.

Also once when the network was under attack (1Gbit+), it switched it's ports off and on.

Is there a cause/solution for this?

Thank you!
Bests,
Semir
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Instability under ddos attack

Thu Aug 29, 2013 1:34 pm

This is why it is called an "attack". What kind of device is this router?

There are many approaches to limiting effect from a DDoS attack: https://www.google.com/search?q=DDOS&si ... 8&oe=utf-8
 
Semir
newbie
Topic Author
Posts: 37
Joined: Tue Aug 20, 2013 6:29 am

Re: Instability under ddos attack

Thu Aug 29, 2013 1:36 pm

Hi,
thank you for your response.

you missunderstand something. The router rebooted cause of watchdog timer.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Instability under ddos attack

Thu Aug 29, 2013 1:38 pm

Yes, and watchdog was triggered by instability of router, which is caused by the attack. This is the result of the attack, and lack of protective measures.
 
Semir
newbie
Topic Author
Posts: 37
Joined: Tue Aug 20, 2013 6:29 am

Re: Instability under ddos attack

Thu Aug 29, 2013 1:58 pm

sorry, Im not getting your point.
Why should it be instable undre an attack?
 
Semir
newbie
Topic Author
Posts: 37
Joined: Tue Aug 20, 2013 6:29 am

Re: Instability under ddos attack

Thu Aug 29, 2013 2:00 pm

Also please find my current firewall below:

add action=drop chain=forward comment="IP Spoofing protection" in-interface=InetIn src-address=84.xx.xx.xx/24
add action=drop chain=input comment="Drop Incoming DNS req" dst-port=53 in-interface=InetIn protocol=udp
add action=drop chain=input dst-port=53 in-interface=InetIn protocol=tcp
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid protocol=tcp
add action=jump chain=forward comment="SSH brute force protection" connection-state=new dst-port=22 in-interface=InetIn \
jump-target=SSH_Protection protocol=tcp src-address=!6x.xx.xx.xx
add action=drop chain=SSH_Protection src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=12m chain=SSH_Protection src-address-list=\
ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1s chain=SSH_Protection
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10s chain=SSH_Protection src-address-list=\
ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=10s chain=SSH_Protection src-address-list=\
ssh_stage2
add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=\
syn,!ack
add action=return chain=SYN-Protect connection-state=new dst-limit=1000,1000,dst-address protocol=tcp tcp-flags=syn,!ack
add action=drop chain=SYN-Protect src-address-list=synner
add action=add-src-to-address-list address-list=synner address-list-timeout=10m chain=SYN-Protect
add action=drop chain=forward dst-address-list=udp_flooded
add action=drop chain=forward src-address-list=udp_flooder
add action=jump chain=forward comment="UDP Flood Protection" connection-state=new jump-target=udp_flood protocol=udp
add action=return chain=udp_flood dst-limit=2000,2000,src-and-dst-addresses
add action=add-src-to-address-list address-list=udp_flooder address-list-timeout=10m chain=udp_flood
add action=add-dst-to-address-list address-list=udp_flooded address-list-timeout=1d chain=udp_flood
add action=jump chain=forward comment="Ping Flood Protection" jump-target="Ping Flood Protection" protocol=icmp
add action=return chain="Ping Flood Protection" dst-limit=200,200,src-and-dst-addresses protocol=icmp
add action=drop chain="Ping Flood Protection" protocol=icmp src-address-list=ping_floodders
add action=add-src-to-address-list address-list=ping_floodders address-list-timeout=10m chain="Ping Flood Protection"
add action=add-dst-to-address-list address-list=synflooded chain=SYN-Protect
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Instability under ddos attack

Thu Aug 29, 2013 2:05 pm

What kind of hardware is it?

DDoS attack will fill your router resources, so your router will have problems processing legitimate traffic. It should not be rebooted. Maybe you have a hardware problem after all
 
Semir
newbie
Topic Author
Posts: 37
Joined: Tue Aug 20, 2013 6:29 am

Re: Instability under ddos attack

Thu Aug 29, 2013 2:08 pm

It's a CCR1036-12G-4S
With the current ruleset the CPU load is around 25-30% @1Gbit DDOS.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Instability under ddos attack

Thu Aug 29, 2013 2:17 pm

do you use RouterOS v6.2 or v6.3?
 
Semir
newbie
Topic Author
Posts: 37
Joined: Tue Aug 20, 2013 6:29 am

Re: Instability under ddos attack

Thu Aug 29, 2013 2:29 pm

It updated itself to 6.2 and now says it is up-to-date.

I did not even know there is a 6.3 and cannot find it either.
 
Semir
newbie
Topic Author
Posts: 37
Joined: Tue Aug 20, 2013 6:29 am

Re: Instability under ddos attack

Fri Aug 30, 2013 10:40 am

which is the most stabile version?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Instability under ddos attack

Fri Aug 30, 2013 11:52 am

v6.2 should be much better under DDoS attack. v6.3 will be released today or next week, test version is available upon request
 
Semir
newbie
Topic Author
Posts: 37
Joined: Tue Aug 20, 2013 6:29 am

Re: Instability under ddos attack

Sat Aug 31, 2013 2:09 pm

Nope, thanks, I need the most stable one.
 
Semir
newbie
Topic Author
Posts: 37
Joined: Tue Aug 20, 2013 6:29 am

Re: Instability under ddos attack

Sat Aug 31, 2013 2:26 pm

aug/31/2013 12:23:35 system,error,critical router was rebooted without proper shutdown, probably kernel failure

happened again.
exact scenario:
-- receiving ddos on ipv6 (not huge, ~300-400Mbit)
-- editing firewall settings
crash.
 
Semir
newbie
Topic Author
Posts: 37
Joined: Tue Aug 20, 2013 6:29 am

Re: Instability under ddos attack

Sat Aug 31, 2013 3:14 pm

Hi,
new exp:

the tools/profile shows 90% idle, while system/resources show 100% load.

http://kepfeltoltes.hu/130831/resources ... es.hu_.png

even though the traffic was the same like minutes ago but then the load was 35%.

Any ideas?
Thank you!
 
Semir
newbie
Topic Author
Posts: 37
Joined: Tue Aug 20, 2013 6:29 am

Re: Instability under ddos attack

Sat Aug 31, 2013 5:53 pm

Turned off watchdog timer.
Router restarted.
(Which is good, too, as a brick would be worse.)
Nothing in the logs.
I jsut see all the counters reset.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Instability under ddos attack

Mon Sep 02, 2013 12:47 pm

We will release v6.3 today or tomorrow, only an SSTP issue is remaining, so you can safely try it.
If your issue was not fixed by upgrading to v6.2, please email support@mikrotik.com with your supout.rif file, and we will see why this happens.
 
Semir
newbie
Topic Author
Posts: 37
Joined: Tue Aug 20, 2013 6:29 am

Re: Instability under ddos attack

Fri Sep 06, 2013 10:19 pm

Sorry, almost forgot to Thank You!
 
infused
Member
Member
Posts: 313
Joined: Fri Dec 28, 2012 2:33 pm

Re: Instability under ddos attack

Sat Sep 07, 2013 3:15 pm

bumping. Keen to know the outcome of this.
 
Semir
newbie
Topic Author
Posts: 37
Joined: Tue Aug 20, 2013 6:29 am

Re: Instability under ddos attack

Sat Sep 07, 2013 5:10 pm

As I saw 6.3 did have some update on gbit links, but Im still waiting for feedbacks on 6.3 issues/stability.

Also I found that 500-700Mbit IPv6 DDOS traffic loads the cores to 100% (with 2 FW rules only), so ipv6 ddos above 700Mbit may have triggered the watchdog.
But this does not answer the cases when ports flipped or router was rebooted under an ipv4 ddos.

I had sent away problematic clients already, so I hope I wont be able to do further investigations in ddos attacks XD
 
Semir
newbie
Topic Author
Posts: 37
Joined: Tue Aug 20, 2013 6:29 am

Re: Instability under ddos attack

Fri Nov 08, 2013 8:49 pm

Router stable with CPU freq set to 600MHz.
Mikrotik support told me to return it to them.
...

Ofc, no replacement device supplied.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Instability under ddos attack

Mon Nov 11, 2013 1:26 pm

Router stable with CPU freq set to 600MHz.
Mikrotik support told me to return it to them.
...

Ofc, no replacement device supplied.
To clarify, you were asked to return it to the distributor, not MikroTik. The Distributor then could give you a replacement unit, depending on where you bought it.
 
Semir
newbie
Topic Author
Posts: 37
Joined: Tue Aug 20, 2013 6:29 am

Re: Instability under ddos attack

Tue Nov 12, 2013 11:56 am

Router stable with CPU freq set to 600MHz.
Mikrotik support told me to return it to them.
...

Ofc, no replacement device supplied.
To clarify, you were asked to return it to the distributor, not MikroTik. The Distributor then could give you a replacement unit, depending on where you bought it.
what does this clarify?
It goes back to MikroTik and noone gives any replacement units.
The fact that it goes throught the distributor does not change anythings.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Instability under ddos attack

Tue Nov 12, 2013 12:00 pm

Router stable with CPU freq set to 600MHz.
Mikrotik support told me to return it to them.
...

Ofc, no replacement device supplied.
To clarify, you were asked to return it to the distributor, not MikroTik. The Distributor then could give you a replacement unit, depending on where you bought it.
what does this clarify?
It goes back to MikroTik and noone gives any replacement units.
The fact that it goes throught the distributor does not change anythings.
MikroTik does provide a free compensation program with immediate replacement if the unit if faulty. This is up to your distributor to provide it to you a loan unit. Please understand that we are located in another country, we can't easily loan you a replacement unit while distributor is repairing or replacing it with us.
 
Semir
newbie
Topic Author
Posts: 37
Joined: Tue Aug 20, 2013 6:29 am

Re: Instability under ddos attack

Mon Nov 18, 2013 2:49 pm

MikroTik does provide a free compensation program with immediate replacement if the unit if faulty. This is up to your distributor to provide it to you a loan unit. Please understand that we are located in another country, we can't easily loan you a replacement unit while distributor is repairing or replacing it with us.

Mikrotik contacted the distributor which was quite nice of them.
I understand that the distributor's attitude is not miktorik's responsibility.
They offered a replacement but only after they received the device, which would be a stalemate again :)
However, it is no longer an issue, I just could not yet replace it with my backup device. At least it showed the necessity for a hot spare...

Who is online

Users browsing this forum: anav, Guntis, kub1x, Valerio5000, VinceKalloe and 79 guests