DDoS Protecion for CPU Model

abakisensoy · May 19, 2017, 4:43pm

Hi;

we have 10G uplink we want to use Mikrotik OS to protect our game servers from DDoS attacks.

We are using E5 Model intel xeon cpu on our current MikrotikOS. However, we are experience single 100% cpu load and our whitelisted user get down because their white list ips checking by that single core which sees 100% load.

We need to log ips when we get different attacks so our cpu usage increase a lot. all cpu cores get 80-90%. We need a better cpu.

We are thinking to get intel i7700K or AMD Ryzen 7 1800X . is it a right decision ? What you guys recommend for us ?

INFO: we use tunnel type protection for ddos but only our country’s connections directly connect out servers. Thus, we need to filter that. We use Mikrotik Firewall rules which cause high cpu load. We need advice for hardware to use as a mikrotik firewall.

jarda · May 19, 2017, 9:28pm

Do you use raw table for dropping?

abakisensoy · May 20, 2017, 11:14am

We use raw table and Filter Rules. So what we should choose ?

berlo · May 20, 2017, 11:34am

Nowadays 10Ge is too few to protect a server from DDoS. Better is contact a company that offer this solution and do remote bgp. As you offer gaming best solution is choosing a company closest to you. Where are you colocated?

abakisensoy · May 20, 2017, 12:53pm

Thanks for replying. We already using tunnel type protection for abroad traffic. We dont pass our country’s traffic through tunnel in order to have low ping otherwise we see high pings. Thus, we use mikrotik with 10G port to filter our country’s traffic. Mostly, we dont get hit over 10G so we only get down because of high CPU usage.

btw, we are located in turkey.

berlo · May 20, 2017, 1:39pm

If you use local ISP for tr traffic you can ask him to put ACL on your port for some kind of attacks, like amp, source ports etc). If you’re connected on a IX you can use community to filter out carriers where you receive part of DDoS.

For example we have some customers in TR that have your similar issue and they route all traffic from us except most famous users telcos. Prior to that configuration we experienced lot of bgp drops because their router was not able to handle the requests

abakisensoy · May 20, 2017, 8:04pm

Thanks a lot again for reply.

our all servers at a turkish datacenter. They have connections from all local ISP. They can’t block DDoS attacks because attacker change their pattern when they being blocked by Datacenter. Recently; we are having valve source exploit attacks which looks like a legit traffic. They use miktroik to prevent this kind of attacks too.

what is the name of company you mention? what is IX? and bgp drops ?

im really a newbie at firewall networking but eager to learn. thanks for your helping.

abakisensoy · May 21, 2017, 12:04pm

i started to think if my hardware can run with RouterOS 6.x ?

RouterOS 6.x current kernel version is 3.3.5+

i7700K or AMD Ryzen 7 1800X are they Compatible with RouterOS 6.x ?

abakisensoy · May 21, 2017, 1:12pm

We have only 10G uplink we could buy CCR1072-1G-8S+ or CCR1036-8G-2S+EM but we have doubts.

we only experience high CPU usage with our current E5 cpu on custom server with RouterOS.

which one is more suiatable for us CCR1072-1G-8S+ or CCR1036-8G-2S+EM ?

kurtkraut · May 21, 2017, 3:15pm

Despite the 100% CPU usage, are you sure your 10 Gbps link isn’t getting 100% consumed by the attack traffic?

abakisensoy · May 21, 2017, 4:03pm

yes we are sure: here is the details : http://forum.mikrotik.com/t/one-attack-high-cpu-load-getting-down/108393/1

kurtkraut · May 21, 2017, 4:08pm

Could you show a PCAP of the traffic these attackers send to you?

abakisensoy · May 21, 2017, 4:34pm

sorry we are really new can you tell me how can i get PCAP from where ?

p3rad0x · May 24, 2017, 12:55pm

Does these attacks originate from specific ip subnets?

Maybe blackhole the traffic
http://forum.mikrotik.com/t/why-source-based-blackhole-instead-of-firewall-drop/103496/1