DDOS attack need help

aldo142 · May 7, 2023, 1:12pm

hello i have many ddos attacks who can help to configure my mikrotik to stop that ? thx

rextended · May 7, 2023, 1:22pm

@anav is waiting your reply from 2022
http://forum.mikrotik.com/t/new-bee-questions-about-firewall/155373/1

Would you like help without even thanking or replying?

Ask your ISP, you can not do anything useful for stop DDoS, except close all your open services to the world, that cause the attacks.

aldo142 · May 7, 2023, 1:26pm

hello its long story its very important for to let at least 1 opened port can u help me ?

rextended · May 7, 2023, 1:27pm

I already gave you the correct answer.

aldo142 · May 7, 2023, 1:33pm

can i see u in private im really confused and this ddos attack will make me heart attack soon

rextended · May 7, 2023, 1:38pm

Isn’t it clear to you that only and exclusively your ISP can do something?
Whatever you do, however, is completely useless.
(Aside from shutting down all internet services you provide, which attract attacks)

AntiUltimate · May 7, 2023, 1:42pm

What are the symptoms of the so called “DDoS attack” and how did you realize it was one?

aldo142 · May 7, 2023, 1:44pm

i have a application on linux server who use 1 port one guy send me a flood attack when i start using it after only 5..10 mins the router crash

rextended · May 7, 2023, 1:49pm

Is not exactly the same thing…

If you don’t explain yourself well, how do you expect to have correct help?

One person flood your connection. This is “many DDoS attacks”?

Drop on /firewall raw prerouting his IP.

aldo142 · May 7, 2023, 1:58pm

il newbee on security i buy this mikrotik to secure trafic from my local server to my remote vps ( ovh vps ) in way to let traffic only from a specific ip to specific ip and all all other trafic will be blocked

rextended · May 7, 2023, 2:01pm

http://forum.mikrotik.com/t/new-bee-questions-about-firewall/155373/1

aldo142 · May 7, 2023, 2:29pm

still confused if we can make a direct contact will be good pls !

rextended · May 7, 2023, 2:43pm

https://mikrotik.com/consultants

anav · May 7, 2023, 2:55pm

Provide a detailed network diagram
Post complete config
/export file=anynameyouwish {prior to posting here, remove router serial#, public WANIP information and any keys}

@rextended, whenever you post make habit of checking mail

chechito · May 7, 2023, 4:01pm

looks like was not so urgent after all

aldo142 · May 7, 2023, 4:14pm

1- network diagram
ubuntu server with cccam server with 1 port opened 9011 the local network conect to vps
this attached config , what i want is to close all incoming trafic and all outgoing trafic only will use 9011 to conect to specific vps ip

# may/07/2023 17:09:37 by RouterOS 7.2
# software id = N19D-NGAV
#
# model = RouterBOARD 750G r3
# serial number = 
/interface bridge
add admin-mac=64:D1:54:A0:C8:01 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=GUA24328442
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="serveur cccam11" dst-port=9011 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.88.251
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Africa/Algiers
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

aldo142 · May 7, 2023, 4:32pm

the first aproch is to close all all incoming trafic and all outgoing trafic then i will open and manage desired port

Larsa · May 7, 2023, 4:50pm

Unfortunately, Mikrotik ROS has no ability to stop DDOS attacks. If it’s important, you simply have to supplement or replace it with another solution. However, for other common questions regarding firewall settings, you might get good help from folks in this thread.

For tips and suggestions regarding DDOS protection, Google for example “firewalls that protects against ddos attacks”.

aldo142 · May 7, 2023, 5:59pm

u can see attached the SYN flood
TCP SYN.png

chechito · May 7, 2023, 6:04pm

if 154.54.220.138 traffic is not relevant or important to you drop it

/ip firewall raw
add action=drop chain=prerouting src-address=154.54.220.138

lowering tcp timeout can help

/ip firewall connection tracking 
set tcp-established-timeout=16m