Correct way of protecting from SYN ?

soamz · June 21, 2016, 12:28am

I can see my developer had done this to my core router.

But I found this in a forum thread,
"

add action=jump chain=forward comment="SYN Flood protect" disabled=no \
    jump-target=SYN-Protect protocol=tcp tcp-flags=\
    syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr
add action=accept chain=SYN-Protect comment="" disabled=no limit=X,Y \
    protocol=tcp tcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr
add action=drop chain=SYN-Protect comment="" disabled=no protocol=tcp \
    tcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr

Now, Im confused.
Whether to keep what I have now or copy paste the above code directly ?

soamz · June 21, 2016, 12:28am

And whether those rules should be on border or core or PPPoE router ??

ironman820 · June 22, 2016, 3:54pm

If concerned about syn flooding, those rules should be on any router with a public IP address. With one huge recommendation, set up a test router with your PPPoE setup and make sure the rules don’t block any PPPoE traffic they’re not supposed to (I’m not familiar with PPPoE, but I have enabled rules that have had major effects on our traffic).

As far as if the rules are set up properly, check the rules to see if the flags are set properly, or to make it easier, you could just export the config for your firewall filter and compare it to the rules you are looking at:

/ip firewall filter
export

soamz · June 22, 2016, 3:56pm

So the rule is correct ?
Did you see it full ?

And it should be in all the microtik routers ?
Yes, all of my routers are with public IP always.

ironman820 · June 22, 2016, 4:25pm

The rule appears to be correct, but Winbox does not show everything on the line display, if you want to post the output of those lines after running the code I posted, I can say that they are correct.
The other thing I’m seeing is since you are using PPPoE behind a router, you might want to consider changing the “limit” parameter to “dst-limit” as described in this post:
Does the SYN protect chain really protect anything?
So the code would be:

add action=jump chain=forward comment="SYN Flood protect" disabled=no \
    jump-target=SYN-Protect protocol=tcp tcp-flags=\
    syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr
add action=accept chain=SYN-Protect comment="" disabled=no dst-limit=X,Y \
    protocol=tcp tcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr
add action=drop chain=SYN-Protect comment="" disabled=no protocol=tcp \
    tcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr

soamz · June 22, 2016, 5:19pm

Okay in all routers, use the same code
But in PPPoE routers only, change to dst

ironman820 · June 22, 2016, 6:48pm

That would be the route I would take.

soamz · June 22, 2016, 6:54pm

Thanks.
I think I will first add it to the border routers and then the core and then will add to PPPoE router after 2-3 days.

soamz · July 30, 2016, 8:41am

Added to border router but it doesnt seem to be getting the packets.
Looks like some issue.