Hello,
i want hide my router ip from traceroute due to ddos attack and i do this with change ttl options and increase 2 for ttl , so there is somethings strange for me why after increase ttl my router ip do not show ? however in cisco when we increase ttl it just add that count hop to packet! so why in mikrotik after increase ttl my mikrotik router ip do not show?
also i try drop icmp option 11 and 3:3 and others for block traceroute but it does not work (i also drop all icmp protocols)
if some body explain this for me i really appericate, however my problem is solved anyway 
but i am curious understand it better,
thanks
I’m not in the camp that believes ICMP is a major threat. While I’m unaware of your specific conditions not having ICMP related protocols at hand will only make your life harder more often than an attackers. Discovery a router’s IP address is trivial. Additionally, Linux/Mac traceroute can use TCP or UDP for discovery.
I highly doubt you are being discovered explicitly by traceroute. Fiddling with TTL can cause severe IP routing issues (loops both continuous or partial). Give us an idea of what kind of DDOS attacks you are suffering and your network architecture, there is likely better ways to protect yourself. Additionally specific to ICMP, allow it and rate limit it if you are really worried about it being abused. The MikroTik firewall is completely capable of doing it.
Common Web-Site that shows IP to a user
Example of Rate Limiting
/ipv6 firewall filter add action=accept chain=icmpv6_input-forward comment="icmpv6 echo-request" \
icmp-options=128 limit=1k,100:packet protocol=icmpv6
i think i explain my questions badly see i have x.x.x.0/30 between my ccr and my upstream ccr and x.x.x.1 is set on upstream ccr and i set x.x.x.2 on my router then we established bgp and we are advertise my own ip range and also i have no problem with attacks because my prefix advertise from a ddos protected carrier but x.x.x.0/30 is not ddos protected so if someone do mtr or traceroute can find my router ip address send ddos attack (udp, tcp ,…) to my router directly. so this is the reason i want hide my router ip,
Are you having that problem now? If your router routes packets it should (needs to) decrement TTL. If you need a security device to prevent attacks beyond what the MT can provide natively install a proper firewall in passive or passthrough mode that is capable of performing the necessary deep packet inspection and black hole DDOS attempts.
Additionally, install ACLs that drop traffic targeted directly at the IPs installed on the routers so that only traffic meant to be sent to them ever comes up the stack. For traffic to flow through the router it doesn’t need to be sourced or destined to the IP on the router.
Regardless by targeting your prefix behind the router I’m also targeting your routers inherently.
i do not have any attacks right ,
you said increase ttl by2 cause problem ?
i also do it in prerouting chain and set protocol to icmp only and distinaition to my prefix only
Yes changing TTL on traffic can be extremely harmful to network operations unless you really understand what it’s doing at an expert level.
Blocking ICMP impact path MTU discovery. This is becoming a prevalent issue on the forums. As websites shift to HTTPs any change in MTU size can cause an HTTPS packet with DF bit set to true to be dropped. When that happens the dropping router needs to send an ICMP message back to the server to tell it the packet needs to be fragmented. If you’re dropping that message then you’re opening a can of worms worth of problems for yourself and any customers you have external or internal. No matter what you do with ICMP a Linux traceroute will expose you.
TLDR; leave ICMP alone. Install a proper DPI capable appliance with logging and fail2ban process for potential DDOS attacks inbound. Implement BCP38 ACLs for your end users traffic outbound. You’ll be significantly more protected than filtering ICMP incorrectly and fiddling with packet TTLs.
ok if i leave change TTL what is your suggestion for block icmp ? because when i block icmp request i can not ping router ip but in traceroute show my router ip also i told you my senario in some previous messages
thansk
Blocking your routers IP in ICMP or traceroute will not stop a DDOS attack based on your design.
I’m not sure what gave you the notion it would but sadly it won’t. Im going to assume this idea came from how the Cisco ASA device behaves by default. Sadly this is flawed old world logic.
Implement good ACLs, add rate limiting and implement BCP38. Going beyond that requires a capable deep packet inspection device with the ability to analyze traffic usually paired with a machine learning cloud component, logging and a fail2ban black hole type solution.
see my friend, forgot about ddos attack i just need my router ip does not show in traceroute and forgot why i need this, what is your best sugeestion for this ?
because when i drop icmp for input it blocks icmp but my router ip show in traceroute and mtr but when i change ttl my router ip does not show in traceroute
Again, this does NOTHING to protect you from DDOS which was the original reason you wanted to do it.
/ip firewall filter add action=drop chain=output icmp-options=11:0-255 protocol=icmp
^^ place that rule appropriately (or at the top) of your firewall filter. You will not emit the time-exceeded message for your router and will appear as asterisks in a typical traceroute while showing other hops.
thank you my friend,
it works,