Hi there,
Can anyone please give us a hint on how to limit the number of connections established by specific IPs or a Range?
This is to protect against DoS attacks on the one hand, and to limit the number of P2P and Accelerated Connections/Sessions on the other.
This is required for TCP and UDP connections. Limitting packet match rate hasn’t helped much, and connection limit does not work for udp connections. Maybe some Mangle and Queues?
Please help.
Thx
this is explained in the first example of the manual:
http://www.mikrotik.com/docs/ros/2.9/ip/filter
To only allow not more than 5 simultaneous connections from each of the clients, do the following:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop
>Thx Normis.
Does this also apply for udp connections? Coz can’t set connection-limit for udp.
Got some clients using a P2P openning 20 to 30 udp sessions from each Client IP simoultaneously! Shows on torch.
What if I want to allow more than 5 for some clients, like ten for instance or more?
Limewire is our worst nightmare. Uptill 50 or maybe more simoultaneous sessions. It is causing DoS. No other client can connect when Limewire is active. Have to browse down in torch to reach the end of the list on a 19inch monitor lol.
Regards.
Ok quite clear now how to limit TCP connections, but how about UDP? Is it possible or not. Do we need a proxy server to control UDP?
If we can do nothing about it, then we have to send warnings to our clients.
Thx.
UDP is a a connectionless protocol, so there are no “connections” to limit.
will applying this rule to say, 50 queues have a negative impact on consistant speeds used for gaming and streaming?
tried this rule, and people instantly had problems with complete page resolution. Any ideas?
Obviously that will happen.
You didn’t post what rule you “tried”, so I presumed you “tried” the rule that limits to 5 connections.
It’s WAY to little. Most modern browsers alone run with anywhere from 10 to 20 (some even more) threads in the background, all making individual requests to open up web pages, load graphics, etc etc etc.
Before you drop, log. It will show you clearly when / if / why a rule is hitting, and based on that you will know what to do to resolve whatever problem you are having.
I have found 16 as optimal limitation…
Thx for reply,
Yet I have clients who are using P2P parograms that when I monitor their connections through torch, I see a hundred plus sessions or packets or whatever they are simoultaneously. When I block the related client(s), the network is fast again for everyone else.
When I allow, then the network or at least Internet access gets real slow, ie almost similar to DoS, mostly affecting DNS requests on udp port 53. Queues don’t help as the hundred above don’t amount to 15kbps. So, it is not the packet size, but number of packets sent/sec or something else.
So, if udp doesn’t work via connections, is it possible to limit the number of udp packets sent by a client through (Winbox) Firewall Filter Protocol udp(17) limit packet match rate? If yes, then what is an advisable setting?
Thx to whoever answers.
Regards.
Can you give more information on the network configuration and topology? We limit P2P to 512kbps for each user on our network and haven’t experienced any problems with the amount of UDP connections causing DoS. How many packets per second are going through the local router? Is CPU utilization being maxed out on the router, or any other resources?
Also what kind of upstreme connection do you have (ie: xDSL, T1, T3, fiber, etc..)?
Ok.
We are running several Mikrotik Highpoints with the APs running as PPPoE servers. The AP interface has no IP Address. PPPoE clients connect to the towers through wireless media. The authentication is accomplished through a centralized radius server. There is a linux box load balancing several 512kbps ADSL lines as gateway and DNS server.
Now, our problem is mainly with some P2P programs running on the ckient side, that upload and download showing some 50-100 or more udp entries on torch. It seems the capacity of the gateway is not more than 200 udp packets, sessions or whatever per second. This is not about the bandwidth consumption because each PPPoE client is limited to 128kbps max.
If torch shows the number of packets sent/received per second, 100s of udp send/ receive inputs are displayed, as if it is an open stream of tiny entries less than a KByte each. When the case is the client is
uploading, then the DNS resolution is slowing down on our system, as DNS requires udp port 53. In simple terms, we have to refresh the Internet Explorer some ten times to resolve a fqdn. Regarding the processor consumption, it runs at an average of 30% on RB532 whenever the above senario exists.
It is not the processor, not the bandwidth but the number of sessions or packets sent/received simoultaneously from an individual IP. In case of TCP, fine, we know how to limit connections easily, but for udp their is no connection limit. So, again I ask would limitting the packet match rate for udp protocol help? Or else, please someone, help us.
Thx.
You might want to look at the MikroTik for traffic shaping. There you can limit p2p to a certain ammount of connections. Try 15 - 20.
Kindly can you ellaborate a bit more, like give an example.
I have tried something and seems to help. I set the udp protocol packet match rate to 16/sec with Burst=20. Seems to help a bit.
Thx.
Like you are doing but choose:
Forward firwall filter.
tcp options -any
connection limit 15
all-p2p
and leave burst and count time limit values all at 0
This should keep tracable p2p at bay. You should also mangle p2p and limit the speed too in queue tree to finish the job.
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop
Can this be altered so it only looks at non-http connections. Since we run a transparent web cache I doubt any p2p is going to get through http anyway.
Matthew