DDoS story, or WARNING: use 'conection-limit' with caution!

Chupaka · August 30, 2011, 9:05am

Sunday and Monday were horrible days…

It was the first time our network became the source of DDoS attack. TechSupport woke me up at about 13:00 - users were complaining about very slow Internet access with high packet drop rate. Guess what I did first? Yes, after a few minutes I rebooted the router And guess what? After reboot, the picture stayed the same. Even pinging router’s address (or 127.0.0.1) from the router itself was showing 200-500ms RTT with 50% of timeouts.

After about fifteen minutes of searching and trying I identified that the reason was my firewall filter fules for limiting the number of simultaneous TCP connections per user: they were showing high rate of dropped packets, and when I was disabling them, router was becoming stable again.

It appeared that some kind of virus or botnet on customers’ computers was attacking single IP address (some Lineage II game server) by creating huge number of HTTP requests to the host (when I blocked any packets to that server, filter rule was dropping about 4000 new connections per second). So, when ‘connection-limit’ matcher was trying to count active user’s connections a few thousand times per second, it was killing the router completely.

In Monday, attacked IP addresses changed, so this horror returned back After a dozen of minutes I came to this solution:

/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m

It dynamically creates two address lists: attackers (‘ddoser’) and attacked hosts (‘ddosed’), and blocks packets from the former to the latter. Works like a charm =)

Hope this will help somebody to protect his routers from flooding…

MRMISSY · August 30, 2011, 9:37am

that is nice
thanks for sheering

MCT · August 30, 2011, 2:53pm

+1 for a detection based solution rather than just blocking ports.

mh76bih · December 23, 2011, 11:11pm

hi, i have same problem.,but those scripts des not help me.
all day i have problem from one ip have attack on whole subnet 512 ip addresses.
any idea how to resolve this problem.
attack comming from 50006 port tcp protocol
thanks
115.235.184.5.jpg

MCT · December 24, 2011, 7:27am

You shouldn’t bump really old threads, it’s considered bad forum etiquette.

That aside since all of your issues are from a single address simply create a rule to drop all traffic from that IP.

I looked up the source IP in a security database and it’s a frequent offender for attacking networks. I always prefer a detection based solution but in your situation I’d block that IP at the edge of my network.

mh76bih · December 24, 2011, 7:46am

now its happen again, any solutions, pls

MCT · December 24, 2011, 8:14am

No one will be able to help unless you post detailed information about the traffic. The most helpful thing would be to do a packet capture of the traffic and post it.

If the attack address shifted then the alternate approach would be to create a queue rule to throttle the traffic down to a trickle. Most automated attack tools won’t shift if the connections are still open.

Chupaka · December 24, 2011, 1:00pm

select ‘Protocol’ and ‘Port’, there’s not so much info to help you. what port of 115.238.184.5 is attacked?

are you dropping invalid connections in firewall filter?

mh76bih · December 24, 2011, 5:05pm

protocol is tcp source ip :115.238.184.5, source port 50006
when that happen i have traffic allmost on all public ip in subnet /23 around 360kbps per ip
and upload on my network is 90-150Mbps.

Chupaka · December 24, 2011, 6:27pm

so the traffic is from 109.175.20.0/24 to 115.238.184.5:50006 - what are those addresses? is there some service at 115.238.184.5:50006?

mh76bih · December 24, 2011, 11:53pm

109.175.20.0/23 is my network, attack comming from 115.238.184.5 port 50006 protcol tcp

Chupaka · December 26, 2011, 12:27pm

according to your screenshot, it’s your network who attacks 115.238.184.5:50006 (without any response, btw)

dingsingo · December 26, 2011, 1:25pm

@Chupaka

++1

THx’s

THG · December 26, 2011, 3:53pm

The Tech Support woke you up at 13:00, so cruel indeed!

Anyway, thanks for sharing your experience with us, Chupaka!

Chupaka · December 26, 2011, 9:34pm

well, maybe better English version would be “at 13:00 a.m.”

spektrumzx · January 22, 2012, 8:53am

I tested those setting and I get between 2000-5000 addresses in list as ddosed or ddoser.
I have about 600 users all connected PPPOE.
Is it a normal thing or something is wrong?

Thanks in advance,

Chupaka:

Sunday and Monday were horrible days…

It was the first time our network became the source of DDoS attack. TechSupport woke me up at about 13:00 - users were complaining about very slow Internet access with high packet drop rate. Guess what I did first? Yes, after a few minutes I rebooted the router And guess what? After reboot, the picture stayed the same. Even pinging router’s address (or 127.0.0.1) from the router itself was showing 200-500ms RTT with 50% of timeouts.

After about fifteen minutes of searching and trying I identified that the reason was my firewall filter fules for limiting the number of simultaneous TCP connections per user: they were showing high rate of dropped packets, and when I was disabling them, router was becoming stable again.

It appeared that some kind of virus or botnet on customers’ computers was attacking single IP address (some Lineage II game server) by creating huge number of HTTP requests to the host (when I blocked any packets to that server, filter rule was dropping about 4000 new connections per second). So, when ‘connection-limit’ matcher was trying to count active user’s connections a few thousand times per second, it was killing the router completely.

In Monday, attacked IP addresses changed, so this horror returned back After a dozen of minutes I came to this solution:
/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
It dynamically creates two address lists: attackers (‘ddoser’) and attacked hosts (‘ddosed’), and blocks packets from the former to the latter. Works like a charm =)

Hope this will help somebody to protect his routers from flooding…

omidkosari · January 22, 2012, 4:39pm

Thanks for sharing your knowledge and experience .

spektrumzx · January 23, 2012, 8:25pm

I tested those settings and I get between 2000-5000 addresses in lists as ddosed or ddoser.
I have about 600 users all connected PPPOE.
Is it a normal thing or something is wrong?

Thanks in advance,

Chupaka · January 27, 2012, 9:55am

is everything else working normally? are 'ddoser’s your addresses, or some Internet ones?

spektrumzx · January 27, 2012, 11:58am

I hope that I have good feedback so everything else looks fine. Right now I have about 540 PPPoE connection and 1600 ddoser’s in list all some internet addresses except two of them that my.
Also I have a rule before this, with limit the number of tcp connections on 150 per user.