CCR-1036 got rebooted with DDoS

satish143 · January 23, 2016, 3:05pm

I have CCR-1036 and to test that i have plug it directly with Linux box to test network performance. I have added single IPtables rules to check firewall performance and run following command

hping3 --udp --data 1024 --spoof --rand-source 192.168.88.1

Booooom!! mikrotik rebooted in 30 second.. i am able to reproduce each and every time… Anybody know what is going on?

Revelation · January 27, 2016, 1:57am

Pay attention to Memory usage and CPU while you run the test. If you are hitting a max in one of those, yep, that can happen. In fact it can happen to any vendor.

Further, What RouterOS are you running?

kurtkraut · January 27, 2016, 4:54am

Absolutely true. I acquired my first pair of Junipers (MX104, quite expensive) and they behaved the same. DDoS? Bam! The whole box went offline. It didn’t rebooted but spent a couple of minutes unresponsive while dropping all BGP sessions and all connections in this meant time. The uptime didn’t reset but the consequences were the same.

The reason? This feature was enabled. I had to turn it off.

satish143 · January 27, 2016, 9:27pm

I have check my CPU load it was around 30-40% but it has tons to memory, 16G and plenty free. I can understand handling DDoS isn’t fun… But its normal amount of DDoS. CCS-1036 has 10G fiber port and i am going to hook 10G fiber. If it can’t handle 500Mbps DDoS attack then how the hell it can handle other outside nasty attack..

My Lab attack is simple Hping3 throwing random source. I have checked attack size is 500Mbps and its opening 500k Tracking connection.

I have ran same test on Linux base firewall with same IPTables rules and Linux firewall handling 1million connection without single drop of packet..

I want benchmark result before i move this piece in production.. If it getting reboot in small hping3 command i need to think about it…

satish143 · February 17, 2016, 4:10pm

Update:

Worked with support on this issue and finally it resolved in 6.34rc6 version

They said they mark this bugfix in 6.34.2 + releases, Any idea when 6.34.2 coming out?

chechito · February 17, 2016, 5:14pm

is a specific weakness of your configuration

if you really want to secure a router

you need to create rules to policy and QoS traffic towards router to protect it

in Cisco its called Control Plane Protection and Control Plane policing