Hi to everyone and thanks in advance
I’m running several CCR1036 and a couple of 1072, with kinda simple config and some firewall rules
There are a couple rules that i use to limit the number of ssh, telnet, and smtp connections
Time ago, 2 customers of mine were hacked and generating an enourmous amount of telnet connections (+10000 per second), that blocked my entire subnet, so I decided to make some rules to prevent this
The firewall rules looks like this:
/ip firewall filter
--- DROP SMTP CONNECTIONS
add action=drop chain=forward comment="Limite Conexiones: SMTP" connection-limit=30,32 dst-port=25,465 limit=2,5:packet log-prefix="Limite Conexiones: SMTP" protocol=tcp src-address-list=limite_smtp
--- DROP SSH CONNECTIONS
add action=drop chain=forward comment="Limite Conexiones: SSH" connection-limit=30,32 dst-port=22 limit=2,5:packet log-prefix="Limite Conexiones: SSH" protocol=tcp src-address-list=limite_ssh
--- DROP TELNET CONNECTIONS
add action=drop chain=forward comment="Limite Conexiones: Telnet" connection-limit=30,32 dst-port=23 limit=2,5:packet log-prefix="Limite Conexiones: Telnet" protocol=tcp src-address-list=limite_telnet
--- BUILD ADDRESS LISTS FOR THE ABUSIVE TRAFFIC
add action=add-src-to-address-list address-list=limite_smtp address-list-timeout=1d chain=forward comment="Limite Conexiones: SMTP" connection-limit=30,32 dst-port=25,465 limit=2,5:packet protocol=tcp
add action=add-src-to-address-list address-list=limite_ssh address-list-timeout=1d chain=forward comment="Limite Conexiones: SSH" connection-limit=30,32 dst-port=22 limit=2,5:packet protocol=tcp
add action=add-src-to-address-list address-list=limite_telnet address-list-timeout=1d chain=forward comment="Limite Conexiones: Telnet" connection-limit=30,32 dst-port=23 limit=2,5:packet protocol=tcp
Those rules works for me, malicious traffic is blocked but, it blocks my router too.
Yesterday a customer was generating over 5000 smtp connections per second, and the CPU usage on the 1036 went to 99%. Profile shows 50% of the load on the firewall proccess, and the rest on idle. Like only one core was handling the load, and the other 35 cores were doing nothing.
My question is: Is there a way to block this traffic, without blocking the router, distributing the load on all the cores?