Probably you have some nat mascared rules in the LAN. So all ip address come from only one host natted. The solution is you
route your LAN and remove the NATs rules, ok?
Regards.
Probably you have some nat mascared rules in the LAN. So all ip address come from only one host natted. The solution is you
route your LAN and remove the NATs rules, ok?
Regards.
Dear Chupaka…
This cannot put in the Wireless link which before the EOIP…
else, it will drop the EOIP connection as we found today…
seem we should put another access rules in front of this to allow the peer EOIP ip address to skip on this check…
yep, check this: http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking
there I added a note about exceptions
Deleted because not related.
One way to not be woken by tech support is to never sleep!
Dobby, the rules above will not match against the behaviour you described. actually, they detect DoS, so each game server will be examined separately. moreover, game server won’t generate dozens of packets on initial connection ![]()
Deleted because not related.
thanks for sharing your concern, but in my example I use ‘forward’ chain - there all addresses are de-NAT-ted, and router knows, which client should receive the packet - there’s no ‘address of the router’ already
main problem I faced is ‘bad’ websites which block HTTP keep-alive connections, and for opening one page with many small pictures user creates about 30-60 TCP connections… but blocking such sites should be avoided by using ‘burst’ in ‘dst-limit’ matcher
p.s. no, at endpoint we use customers’ PCs - we are Ethernet provider ![]()
Hi man, i’ve just added this rule to my MK Router:
/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=block-ddos
and its showing as invalid, any ideas on what should be wrong??
it’s because your ‘block-ddos’ chain is empty. add another rules - and everything will be okay
Hi, sorry for this post, the topic is very old, but:
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m disabled=yes
What router will write in this list? My local ip what is ddosed now? If i currently have only one active IP, i need this rule?
So for me its working like ‘ddoser’ are blocked from ‘ddosed’ IP, this need only if i have many IPS, but if only one?
Thanks!
daived, if you re-read the first post, you can see that ‘ddosed’ addresses can be not only your local users, but remote hosts (when some botnet is running on your customers’ PCs). also, router’s addresses won’t be detected, as that traffic is in ‘input’ chain of firewall, and my rules catch ‘forward’ traffic
This help a lot to prevent attackers eat my bandwidth fist attack was 100mbps on icmp and UDP (17) and hang my MK.
The rule works properly but after few hours to deploy customer was unable to browse or access to the internet I just add in-interface=ether1 (My ether1 is the wan interface) and problem solve my question is:
Is this is right to add the input interface?
Here is my complete rule:
/ip firewall filter
add action=jump chain=forward comment=Detect-Ddos connection-state=new
disabled=no jump-target=detect-ddos
add action=return chain=detect-ddos comment=Detect-Ddos disabled=no
dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=add-src-to-address-list address-list=ddoser address-list-timeout=
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=drop chain=forward comment=Detect-Ddos connection-state=new
disabled=no dst-address-list=ddosed in-interface=ether1 src-address-list=
ddoser
Thanks Chupaca it is a usefull solution.
Karma +1
NumLock, you’d better add in-interface= matcher to the first rule. in your implementation, it blocks only incoming packets, but detects (D)DoS in both directions - probably, unnecessary additional work
Like this: ?
/ip firewall filter
add action=jump chain=forward comment=Detect-Ddos connection-state=new
disabled=no in-interface=ether1 jump-target=detect-ddos
add action=return chain=detect-ddos comment=Detect-Ddos disabled=no
dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=add-src-to-address-list address-list=ddoser address-list-timeout=
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=drop chain=forward comment=Detect-Ddos connection-state=new
disabled=no dst-address-list=ddosed in-interface=ether1 src-address-list=
ddoser
yep, and remove in-interface=ether1 from the last rule
Thanks this help a lot. Over 20,000 IP has been ban. Last configuration work so far so good:
/ip firewall filter
add action=jump chain=forward comment=Detect-Ddos connection-state=new
disabled=no in-interface=ether1 jump-target=detect-ddos
add action=return chain=detect-ddos comment=Detect-Ddos disabled=no
dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=add-src-to-address-list address-list=ddoser address-list-timeout=
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=drop chain=forward comment=Detect-Ddos connection-state=new
disabled=no dst-address-list=ddosed src-address-list=ddoser
/ip firewall filter
add action=jump chain=forward comment=Detect-Ddos connection-state=new
disabled=no in-interface=ether1 jump-target=detect-ddos
add action=return chain=detect-ddos comment=Detect-Ddos disabled=no
dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos comment=DOS-Exceptions disabled=no
src-address-list=DOS-Exceptions
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=add-src-to-address-list address-list=ddoser address-list-timeout=
1w chain=detect-ddos comment=Detect-Ddos disabled=no
add action=drop chain=forward comment=Detect-Ddos connection-state=new
disabled=no dst-address-list=ddosed src-address-list=ddoser
With this rule in blue I can make exceptions?
yes, but you’d better place it as a second rule, not third, so that router doesn’t need to check limits for the traffic that will never be added as a ‘ddoser’ ![]()