%100 Cpu Usage

binary · October 12, 2006, 8:28am

We get syn flood attacks to one of our servers.

I see 80.000 p/s on incoming interface and cpu usage goes to %100.

Is this normal? What can we do mikrotik to handle this.

Box is P4 3.2 Ghz, 512 Ram

normis · October 12, 2006, 8:52am

if it’s coming from a specific address, use some firewall rules against it. action=tarpit should kill this guy

binary · October 12, 2006, 9:42am

I wish that all attacks comes from single ip address

I will use tarpit but i am not hopeful.

ipdruide · October 12, 2006, 9:56am

You may also use address lists and tarpit. I do use them intensively and I am failly happy with the ever growing blacklist form various attackers.
In other words, you can add source addresses to a black list whenever there is an attack and use the blacklit to tarpit attackers.

binary · October 12, 2006, 9:57am

I am already doing these, but the problem is on cpu. Incoming 80.000 packets per second

normis · October 12, 2006, 10:05am

unfortunately, there no perfect solution to this problem. most ISPs suffer from DDOS from time to time. You can contact your internet provider, to try and solve this problem, or you can simply hope that it will stop. Mostly, even the most powerful CPU will not help, as the attacks come from multiple sources at once and the attacker has the ability to make the attack even stronger if he needs to.

binary · October 12, 2006, 10:39am

How google microsoft can handle this? They built 1000s server farm for their web site?

This DDoS messing up all work. People need to find a solution for this. This is an internet terrorism.

I tried several devices like Tipping Point, Netscaler, but they cant solved it %100.

normis · October 12, 2006, 11:06am

but of course google has server farms, what did you think ?

Addresses: 64.233.183.103, 64.233.183.104, 64.233.183.147, 64.233.183.99
Aliases: > http://www.google.com

and that’s only what you see from outside. big servers have server networks with multiple gigabit connections, lots of backup links, very much raw power.

you didn’t think google sits on one gray PC box, did you ?

ipdruide · October 12, 2006, 12:54pm

By the way 80000 p/s means that you have a huge bandwith at your disposal. What kind of link is it ? May be a routerboard is not suited. And may be the 80000 p/s are not all ddos trafic ?

binary · October 12, 2006, 1:38pm

Of course I didnt think google running on p4

I just want to know, having huge servers, bandwidth is the only solution for ddos.

btw, 80.000 p/s was about 50Mbit/s

changeip · October 12, 2006, 2:15pm

Dropping packets is much slower than routing them (not sure why), is there a way to null route them on mt? Is this anything that could be done with routing type=blackhole in routes?

ddos sucks. bandwidth is the first obstacle to fighting them off, then you have to get some very good techniques for being able to access your box while its happened so you can fine tune. Also, if you are using LOG you will be dead in the water with no effort, change logging rules to 5p/s so you don’t overwhelm your CPU.

Sam

ipdruide · October 12, 2006, 3:59pm

Sam, where the hell do you change this logging rule ?
Couldn’t figure out.

Thanks.

changeip · October 12, 2006, 4:08pm

Here is an example, it uses limit=

add chain=ICMP protocol=icmp limit=1,2 action=log log-prefix=“” comment=“log
it” disabled=no

Sam