DDOS Rules when Connection tracking is Off

kashifzai86 · December 24, 2020, 8:34am

I’m wondering how to place DDos Attack filter rules when Connection Tracking is Off on Mikrotik CCR-1036 as I’m using this router for Routing only and my rest of traffic is forwarding to CGNAT CCR-1009.

Anyone can help on it

Chupaka · December 24, 2020, 9:59am

Well, first, why don’t you want to place those rules on your CGNAT device?

kashifzai86 · December 27, 2020, 10:02am

I think I didn’t elaborate my network completely, let me tell you everything

I’m working as Mini ISP having 1500 users, I have 2 publics pools of /24 which are routed by main ISP through my these IPs 14.x.x.x/29 assigned by my ISP to my Mikrotik router (my router IPs are /29).
So, my Edge router is CCR1036 is connected to my user interface (and my user are pppoe clients).

CCR-1036 EDGE ROUTER:- This router has these functions (pppoe server, Routing /24 directly by giving real IP to defined users & forward private 172.16.x.x/16 users to my CGNAT router) as this router has connection tracking is OFF (the reason why connection tracking off becoz when one of my area electric goes off my mikroitk does get any load due CONNECETION TRACKING IS DISABLED) If I put on connection tracking ON at this router then on reconnecting of 100s of users at same time CPU load goes to 100% and Mikrotik start dropping packets for few seconds.

So, I used another router for CGNATing.
Please see below link what I want to elaborate you.
https://aacable.wordpress.com/2018/03/27/separating-natting-from-routing-in-mikrotik/

DO you have another solution??

Cha0s · December 27, 2020, 2:22pm

I don’t know what those ‘DDoS Rules’ are, but you can use the Raw table to do filtering without connection tracking enabled.

kashifzai86 · December 27, 2020, 4:12pm

When connection tracking is off, RAW tab rules won’t work

DarkNate · December 27, 2020, 4:25pm

DDoS protection at ISP level shouldn’t be relying on “drop” rules, that’s what we do at home.

ISPs should use more pro-grade solutions: https://security.stackexchange.com/a/134770

nescafe2002 · December 27, 2020, 4:57pm

Your link provides the correct information:
“When using Masquarade, RouterOS has to do full connection tracking recalculation on EACH interface connect/disconnect.”.
=> Use srcnat instead of masquerade to eliminate extra load on pppoe (dis)connects.

Raw works fine without connection tracking.. raw is applied before tracking (if enabled)

kashifzai86 · December 28, 2020, 12:24pm

Dear Chupaka (Sorry using yr short name)

How to rectify a user (whose IP is DDoS attackers list in mikrotik)??

Chupaka · January 5, 2021, 11:36am

So again, why don’t you filter on CGNAT devices? They already have Connection Tracking on, and those rules use “connection-state=new”, so CPU load should not be noticable.

What do you mean by “rectify”?..

kashifzai86 · January 5, 2021, 12:10pm