DDoS story, or WARNING: use 'conection-limit' with caution!

Probably you have some nat mascared rules in the LAN. So all ip address come from only one host natted. The solution is you
route your LAN and remove the NATs rules, ok?

Regards.

Dear Chupaka…
This cannot put in the Wireless link which before the EOIP…

else, it will drop the EOIP connection as we found today…
seem we should put another access rules in front of this to allow the peer EOIP ip address to skip on this check…

yep, check this: http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking
there I added a note about exceptions

Deleted because not related.

One way to not be woken by tech support is to never sleep!

Dobby, the rules above will not match against the behaviour you described. actually, they detect DoS, so each game server will be examined separately. moreover, game server won’t generate dozens of packets on initial connection :slight_smile:

Deleted because not related.

thanks for sharing your concern, but in my example I use ‘forward’ chain - there all addresses are de-NAT-ted, and router knows, which client should receive the packet - there’s no ‘address of the router’ already

main problem I faced is ‘bad’ websites which block HTTP keep-alive connections, and for opening one page with many small pictures user creates about 30-60 TCP connections… but blocking such sites should be avoided by using ‘burst’ in ‘dst-limit’ matcher

p.s. no, at endpoint we use customers’ PCs - we are Ethernet provider :slight_smile:

Hi man, i’ve just added this rule to my MK Router:

/ip firewall filter

add chain=forward connection-state=new action=jump jump-target=block-ddos

and its showing as invalid, any ideas on what should be wrong??

it’s because your ‘block-ddos’ chain is empty. add another rules - and everything will be okay

Hi, sorry for this post, the topic is very old, but:

add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m disabled=yes

What router will write in this list? My local ip what is ddosed now? If i currently have only one active IP, i need this rule?
So for me its working like ‘ddoser’ are blocked from ‘ddosed’ IP, this need only if i have many IPS, but if only one?
Thanks!

daived, if you re-read the first post, you can see that ‘ddosed’ addresses can be not only your local users, but remote hosts (when some botnet is running on your customers’ PCs). also, router’s addresses won’t be detected, as that traffic is in ‘input’ chain of firewall, and my rules catch ‘forward’ traffic

This help a lot to prevent attackers eat my bandwidth fist attack was 100mbps on icmp and UDP (17) and hang my MK.
The rule works properly but after few hours to deploy customer was unable to browse or access to the internet I just add in-interface=ether1 (My ether1 is the wan interface) and problem solve my question is:

Is this is right to add the input interface?
Here is my complete rule:

/ip firewall filter
add action=jump chain=forward comment=Detect-Ddos connection-state=new
disabled=no jump-target=detect-ddos
add action=return chain=detect-ddos comment=Detect-Ddos disabled=no
dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=add-src-to-address-list address-list=ddoser address-list-timeout=
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=drop chain=forward comment=Detect-Ddos connection-state=new
disabled=no dst-address-list=ddosed in-interface=ether1 src-address-list=
ddoser

Thanks Chupaca it is a usefull solution.
Karma +1

NumLock, you’d better add in-interface= matcher to the first rule. in your implementation, it blocks only incoming packets, but detects (D)DoS in both directions - probably, unnecessary additional work

Like this: ?

/ip firewall filter

add action=jump chain=forward comment=Detect-Ddos connection-state=new
disabled=no in-interface=ether1 jump-target=detect-ddos

add action=return chain=detect-ddos comment=Detect-Ddos disabled=no
dst-limit=32,32,src-and-dst-addresses/10s

add action=add-dst-to-address-list address-list=ddosed address-list-timeout=
1w chain=detect-ddos comment=Detect-Ddos disabled=no

add action=add-src-to-address-list address-list=ddoser address-list-timeout=
1w chain=detect-ddos comment=Detect-Ddos disabled=no

add action=drop chain=forward comment=Detect-Ddos connection-state=new
disabled=no dst-address-list=ddosed in-interface=ether1 src-address-list=
ddoser

yep, and remove in-interface=ether1 from the last rule

Thanks this help a lot. Over 20,000 IP has been ban. Last configuration work so far so good:

/ip firewall filter
add action=jump chain=forward comment=Detect-Ddos connection-state=new
disabled=no in-interface=ether1 jump-target=detect-ddos
add action=return chain=detect-ddos comment=Detect-Ddos disabled=no
dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=add-src-to-address-list address-list=ddoser address-list-timeout=
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=drop chain=forward comment=Detect-Ddos connection-state=new
disabled=no dst-address-list=ddosed src-address-list=ddoser

/ip firewall filter
add action=jump chain=forward comment=Detect-Ddos connection-state=new
disabled=no in-interface=ether1 jump-target=detect-ddos
add action=return chain=detect-ddos comment=Detect-Ddos disabled=no
dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos comment=DOS-Exceptions disabled=no
src-address-list=DOS-Exceptions
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=add-src-to-address-list address-list=ddoser address-list-timeout=
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=drop chain=forward comment=Detect-Ddos connection-state=new
disabled=no dst-address-list=ddosed src-address-list=ddoser

With this rule in blue I can make exceptions?

yes, but you’d better place it as a second rule, not third, so that router doesn’t need to check limits for the traffic that will never be added as a ‘ddoser’ :slight_smile: