DDoS detection and blocking

RouterOS General
1

According to this https://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking the expire time has a bug so 10s is actually 1s. Can anyone please through some light if this is still the case? What is the expire value needed for in any case? I am trying to set a rule to drop and black list all udp traffic if over 6 packets per 8 seconds per IP but the expire value is a little confusing.

Is this the right way to do it?

dst-limit=6/8s,6,src-and-dst-addresses/80s

Thank you

2

That article is almost 10 years old, please use current version
https://help.mikrotik.com/docs/display/ROS/DDoS+Protection

3

Even the newer version does not explain what the expire value is for and why would you want to use a 10s expire time for 32 packets/1s time frame. It still uses 10s without explaining why the expire value should be as such.

So the question remains, how do I drop and blacklist any traffic above 6 packets per 8 seconds? What would be the correct expire value for it and why?

4

So the question remains, how do I drop and blacklist any traffic above 6 packets per 8 seconds? What would be the correct expire value for it and why?

The answer can be found on https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter:


dst-limit (integer[/time],integer,dst-address | dst-port | src-address[/time]; Default: )

Matches packets until a given rate is exceeded. Rate is defined as packets per time interval. As opposed to the limit matcher, every flow has it’s own limit. Flow is defined by mode parameter. Parameters are written in following format: count[/time],burst,mode[/expire].

  • count - packet count per time interval per flow to match

  • time - specifies the time interval in which the packet count per flow cannot be exceeded (optional, 1s will be used if not specified)

  • burst - initial number of packets per flow to match: this number gets recharged by one every time/count, up to this number

  • mode - this parameter specifies what unique fields define flow (src-address, dst-address, src-and-dst-address, dst-address-and-port, addresses-and-dst-port)

  • expire - specifies interval after which flow with no packets will be allowed to be deleted (optional)

Dropping traffic above 6 packets per 8 seconds means: dst-limit=6/8s

I think your doubt is about expire time. Maybe it is easier to understand with an example. Suppose that you receive this number of packets for a flow. Depending on expire time is 2s or 10s, the calculated rate is different.

Time  #Packets    Rate (expire=2s)      Rate (expire=10s)
   0        1               1p/s                    1p/s
   1        3               2p/s                    2p/s
   2        0               2p/s                  1,3p/s
   3        0               2p/s                    1p/s
   4       21              21p/s                    5p/s
5

UDP source addresses are trivially spoofed, using rules like this you turn a volumetric DDoS into a computational DDoS as your connection tables fill up and crash the router.

There are no magic rules to fix DDoS. If your bandwidth is lower than the incoming traffic then by the time it hits your router it is too late to do anything about it, your link is already saturated.

6

Yes jprietove, that is exactly the answer I was looking for. The expire value does not seem to be well documented. Thank you for the example

R1CH, there is no crash here my friend so no worries, What you are saying is already well known and not the issue here but thanks anyways! :wink:

7

Wait until you get a SYN Flood DDoS and watch your MikroTik (doesn’t matter which model or how much bandwidth you have) become totally unresponsive.

8

I already have about 19000 IPs so far :wink:

9

There’s protection against SYN Flood too.

https://help.mikrotik.com/docs/display/ROS/DDoS+Protection#heading-SYNAttack

10

thx for your effort. Unfortunately, I’m still having difficulties in understanding how to calculate it.
Can you share how you did the maths?