72 Core CCR

NodeMax · June 5, 2015, 8:37am

Hi,

Any ideas of the date for the 72 Core CCR and how many 10Gb/s interfaces full wirespeed?

Thanks

Tony

pukkita · June 5, 2015, 8:57am

No idea about the release date, exact model will be CCR1072-1G-8s+, 1 Gigabit interface, 8 SFP+

normis · June 5, 2015, 8:58am

All interfaces directly connected to CPU

kowal · June 6, 2015, 9:50am

And +/- relase date?

doush · June 6, 2015, 10:57am

Some vital parts of RouterOS is not supporting multicore so 72 core router wont help much of anything unless RouterOS fully supports multicore. Dont expect miracles.

Very simple light ddos attacks drops any Mikrotik router if conn tracking is on with a few firewall and NAT rules currently.
I dont think it will change with the 72 core router anyway.

paoloaga · June 7, 2015, 12:28am

Would it help to disable conntrack on border (bgp speaking) routers? How are the results on the field? Anyone tried?

I am using several CCRs and I already have been victim of a DDOS too. It was slightly larger than 1Gbit/s and my border CCRs were able to handle it. I am keeping conntrack disabled on such devices.

doush · June 9, 2015, 11:50am

This is excatly what I am trying to say.
Dont turn on CT. Core count doesnt matter !

ZeroByte · June 9, 2015, 12:03pm

I’d imagine that putting a fasttrack rule in your forward chain would probably help quite a bit.
You would also need to block services in the input chain with something fast, such as a src-address-list as the only allowed traffic source except for certain icmp messages.

SKYNET360 · November 8, 2016, 8:40pm

Getting DDos attack on my new 72 Core CCR I already implemented the rule below and still kills my router I have a 10G backbone and when it hits 3gig of DDos it dies on me. Also when I call my provider it never reach 10Gig. Any idea what to do??? or just get a better router

/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m

Murmaider · November 9, 2016, 8:47am

What other firewall rules are you running and are you fasttracking the connections?
Ask your provider for a BGP blackhole community and use that to block the DDoS attack.

SKYNET360 · November 9, 2016, 8:16pm

Yes I do have other firewall rules but only blocking ports and access list. As to fasttracking connection how do I set that up. I will also ask my provider for the BGP info

Murmaider · November 10, 2016, 7:59am

Ok so the performance you are getting is exactly on par with what Mikrotik advertises.
Go here https://routerboard.com/CCR1072-1G-8Splus and scroll down to the Ethernet Test Results.
Routing with 25 ip filter rules, with 64 byte packets (which is usually what you get hit with in a DDoS) will give you a max of 3Gbit/sec
Without any firewall rules, it can do 44Gbit/sec

The above makes perfect sense. With firewall rules, every packet has to be inspected and checked again every firewall rule you have in a chain until a condition is met.
So if you have 25 rules for example and your 24th rule is “Accept traffic to this ip range”, each packet gets checked against the other 23 rules until it reaches the 24th matching rule.
This can slow down traffic and add load to the CCR, especially in a DDoS with high pps.

As a rule of thumb, I try not route on my firewalls and don’t firewall on my routers.
Rather setup your CCR as a normal fastpath router with no firewall rules and then on your switch setup a mirror port to a linux box running Wanguard.
Wanguard will detect the DDoS in under 5 seconds and can perform whatever action you specify (eg: advertise the /32 IP being attacked via BGP so it can be blackholed. Or setup the action to call the mikrotik API and add a blackhole route for the /32 ip being attacked or the source ip’s that are attacking).

You can also break your network into segments and put firewalls on each of those segments. This way a DDoS should only affect one segment that is being attacked, while your other segments work and your CCR stays up.

SKYNET360 · November 10, 2016, 6:23pm

Thanks I will try this I do have like 60 firewall rules shoe I leave only the DDoser and DDosed rule in place?

Murmaider · November 11, 2016, 12:02am

I would remove all firewall rules entirely and disable connection tracking as this will enable Fastpath on the router automatically (You can confirm by going to IP => Settings).
Let Wanguard detect the DDoS traffic and send blackhole routes for those addresses to your router.

In our testing, I found the DDoS rules on the mikrotik made matters worse when a large, high pps DDoS hits the router.
In our lab, I’ve been able to bring down mikrotik’s that use the DDoS rules with using 3 linux boxes with 10Gb interfaces, running hping3 and hitting a target behind the mikrotik.
However in fastpath mode, it handles this traffic without any issue.